ASEC reports a campaign distributing malicious LNK files through emails that impersonate secure mail and public institutions, mainly aimed at people working on unification and security issues. The lure archives contain normal HWP documents about Ministry of Unification brown-bag lunch or policy meeting themes alongside LNK files that drop obfuscated VBS scripts and open decoy documents. The malware reaches external URLs to download more scripts or TutRAT, which can run filelessly, set an attacker server, and support keylogging, browser credential theft, screenshots, and command execution. ASEC notes behavioral and C2-format similarities to earlier activity and lists C2 infrastructure including 165.154.230[.]24:8020 and several defanged download URLs.