AhnLab observed a malicious Windows shortcut disguised as a personal information consent document that runs obfuscated PowerShell and retrieves additional scripts for fileless execution. The chain creates downloader and loader PowerShell scripts, establishes persistence through Windows Task Scheduler, opens a decoy document, and deletes the original LNK to reduce suspicion. Additional payloads include an information-stealing script that collects host, security product, network, drive, file, and process data, and a backdoor loader that decrypts and loads malware in memory. AhnLab notes that the information-stealing flow resembles past Kimsuky activity, but the report frames the case mainly around the LNK/PowerShell tradecraft and defensive checks.