IIJ-SECT observed a May 2026 Kimsuky-linked KimJongRAT campaign that redirected targets from emailed shortened links to malicious GitHub Releases ZIP files containing LNK payloads. The infection chain used mshta, obfuscated VBScript, Google Drive-hosted encrypted payloads, and separate execution paths depending on whether Windows Defender was running. Newer KimJongRAT samples no longer hardcoded C2 addresses; they downloaded encrypted C2 configuration from Google Drive at runtime, and also added an experimental MeshAgent installation capability to preserve access if the malware was quarantined. GitHub removed one abused repository on May 27, but the actor created another repository days later, suggesting the LOTS-based delivery pattern may continue.