A Korean-language analysis describes a Konni-linked malware lure impersonating South Korea's National Tax Service with a VAT correction notice delivered as an HWP-named Windows LNK. The oversized shortcut runs obfuscated PowerShell, searches for a matching LNK, extracts XOR-encoded payloads, writes a CAB under Public, expands it into Public\documents, and launches start.vbs for the next stage. The write-up provides hashes for the LNK and notes tax-agency impersonation and shortcut-based delivery against Korean-speaking users, while framing Konni as a North Korea-linked cluster associated with Thallium/APT37 and possibly Kimsuky.