A spear-phishing operation targeted a specific person at a South Korean nonprofit policy research institute by impersonating a domestic media employee during an otherwise plausible column-submission workflow. The attack delivered a password-protected ZIP through a large-file attachment link from a local portal mail service, containing a Chrome-icon LNK file that executed PowerShell and staged scripts in %TEMP% and %APPDATA%. The PowerShell chain fetched a decoy PDF, registered a scheduled task named "MicrorfteguesoftUpdata1logiveKentwuerwtySchule" for 30-minute persistence, and attempted to retrieve additional TXT-based payloads from attacker C2 infrastructure. ESRC assessed the tradecraft as highly similar to typical Kimsuky activity and detected the components as Trojan.Agent.LNK.Gen and Trojan.PowerShell.Agent, with three MD5 hashes provided as indicators.