ASEC reports malicious LNK files being distributed against domestic financial companies through emails containing a URL that downloads a ZIP named as a financial-authority project information request. The archive contains a decoy PDF about virtual-currency project updates and a large LNK made to resemble an Excel file, which runs heavily obfuscated PowerShell. The LNK extracts a normal spreadsheet and a malicious CAB file, opens the decoy content, expands the CAB, executes start.vbs, registers persistence through a Run key, and runs batch scripts for information theft and additional downloads. Stolen user information is sent to hxxp://shutss[.]com/upload.php, while follow-on ZIP and CAB download paths include thevintagegarage[.]com and shutss[.]com endpoints. ASEC notes the overall file formats, commands, and URL patterns resemble earlier activity, while the script obfuscation has become more complex to hinder analysis and detection.