ASEC observed Konni phishing emails delivering a malicious EXE disguised as personal data leak material to individual users. Execution drops obfuscated JSE scripts, a PowerShell script, and a legitimate decoy DOC into ProgramData; Operator.jse creates a scheduled task that runs WindowsHotfixUpdate.jse every minute. The PowerShell component is designed to receive obfuscated C2 commands and execute them in XML form, with Lomd02.png handling deobfuscation, although ASEC could not observe final commands because the C2 was unavailable. ASEC lists Backdoor/JS.Konni, Backdoor/Win.Konni, Backdoor/PowerShell.Konni detections and a gjdow.atwebpages.com C2 URL among the indicators.