North Korean-backed APT groups have increasingly expanded their operations into the mobile domain, where smartphones serve as high-value reconnaissance assets containing personal, location, and authentication data. In early 2025, TALON identified a previously unreported Android malware family, which we named DocSwap. This malware disguises itself as "secure document viewers" or "authentication apps" and is capable of executing up to 57 commands, including keylogging, credential theft, and device surveillance. Our analysis revealed that DocSwap initially communicated with a C2 server impersonating CoinSwap, later modified to mimic Naver, a tactic historically observed in Kimsuky infrastructure. Based on infrastructure overlaps and distinctive C2 behaviours, we attribute this campaign to puNK-004, a subgroup moderately associated with Kimsuky. Between February and August 2025, TALON tracked at least eight DocSwap variants, each evolving in payload decryption, C2 obfuscation, and phishing delivery techniques. Distribution methods included malicious QR codes and apps masquerading as Korean delivery and shopping services, highlighting the actor's adaptability. This talk will present an in-depth technical analysis of DocSwap's functionalities, infrastructure, and evolution, along with its ties to Kimsuky. By detailing the attackers' tactics, techniques and procedures (TTPs), we aim to provide actionable insights that will help defenders proactively detect and respond to similar mobile threats.