The article describes a GoldDragon-cluster Kimsuky campaign in early 2022 against defense, political, and North Korea-related individuals. The infection chain used spear-phishing and multiple delivery formats, including Word documents, HTA files, and CHM files, to progress through two or more stages and ultimately deliver information-stealing payloads. The author highlights server-side checks for target email address, client IP address, and a custom “chnome” user-agent before serving later-stage malware, reducing tool exposure to researchers and unintended victims. The report argues that defenders need full-chain visibility because first-stage weaponized documents are numerous and frequently changed, while final-stage executables are rarer, less exposed, and reusable for long periods.