Konni is described as a North Korea-linked group using a National Tax Service-themed VAT.hwp lure to deliver malware through a malicious shortcut and obfuscated PowerShell. The script searches for a specific LNK file, reads embedded byte ranges, XOR-decodes payload data, writes files into public document paths, expands a CAB archive, and launches VBS and batch components for persistence and execution. The source lists hashes for the archive and extracted files and ties the activity to phishing attachments used to steal information or establish remote access. The case is relevant to DPRK tracking because it combines Korean tax-agency impersonation with Konni, APT37, and Thallium-linked tradecraft.