The source analyzes a Kimsuky-attributed malicious Windows shortcut file named scarcurft.lnk that uses hidden PowerShell execution instead of Office macros. The LNK searches for a matching shortcut, extracts an embedded Korean-language PDF lure and a BAT payload into the temporary directory, opens the PDF as decoy content, and then runs the BAT file. The embedded PowerShell includes API calls such as GlobalAlloc, VirtualProtect, CreateThread, and WaitForSingleObject, downloads additional data from a OneDrive API URL, and writes decoded bytes into executable memory before launching them. The report highlights representative hashes for the LNK and frames the technique as a shift toward link-file delivery to bypass macro-focused defenses.