ASEC reports malicious LNK files distributed to Korean users under notice-themed filenames such as local tax bill and sex-offender information notice PDFs. When executed, the LNK downloads and runs an HTA file from an attacker-controlled server, which contains a ZIP archive and a decoy PDF. The ZIP includes Base64-encoded PowerShell components that collect browser credentials, bookmarks, extension data, cryptocurrency wallet files, GPKI and NPKI certificates, recent-file paths, system information, and clipboard or keystroke data. The malware also supports persistence through Run key registration and periodic communication with the attacker for command execution, file upload, and file download.