A Konni-attributed LNK malware sample impersonates a Korean National Tax Service overseas financial account declaration form and abuses Windows PowerShell to unpack and run embedded payloads. The obfuscated script searches for a matching .lnk file by size, extracts XOR-encoded data from fixed offsets, writes a payload, expands a CAB file under Public Documents, deletes staging files, and launches a VBS script. Follow-on BAT components collect Downloads, Documents, Desktop directory listings and systeminfo output, then use an RC4-like routine and HTTP POST to upload data to mrtech-solutions.com/dashboard/storage/app/src/upload.php. The exposed server behavior described in the excerpt includes upload and listing endpoints plus Laravel debug exposure, making the campaign relevant for tracking Konni data-theft tradecraft and C2 infrastructure.