Kaspersky's Q2 2022 APT trends report says Kimsuky targeted a South Korean media company and a think tank in January with spear phishing carrying macro-enabled Word documents and Hangeul decoys tied to Korean Peninsula issues. After infection, the actor delivered Visual Basic script and abused a legitimate blog service to host a malicious script, with extra victim verification stages and malware testing inside a compromised victim network. The same report notes Lazarus activity against South Korean entities using updated DeathNote delivery with wAgent malware, while identifying defense and financial institutions as primary Lazarus targets.