ASEC observed Kimsuky phishing professors with paper-review lures that delivered password-protected HWP documents containing malicious OLE objects. When the victim opened the document and followed the embedded “More…” prompt, peice.bat copied staged files, registered a scheduled task named GoogleTransltatorExtendeds, and placed cool.exe, cool.exe.manifest, and template.ps1 under C:\Users\Public\Music\. The scheduled executable decoded embedded Base64 VBScript from the manifest and ran template.ps1 to collect process and antivirus information before sending it to the actor’s Dropbox. Related follow-on activity downloaded files named myapp, mnfst, attach, sch_0, vpost, and bimage to configure hidden AnyDesk access using attacker-supplied service.conf and system.conf files. The case highlights Kimsuky’s use of academic social engineering, shared cloud storage, scheduler persistence, and legitimate remote-access tooling to compromise selected targets.