Kimsuky is linked in the excerpt to a malicious LNK file disguised as an Upbit cryptocurrency-exchange document, with SHA-256 41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229. The shortcut uses mshta.exe to launch obfuscated JavaScript and PowerShell, bypass execution policy, connect to 64.49.14.181:8014, decode a Base64 ZIP into ProgramData, extract it, and run s.vbs. Follow-on script content creates scheduled-task and Run-key persistence, opens a decoy DOCX, and executes PowerShell from temporary files. A later payload establishes TCP command handling against 64.49.14.181 on port 7032, writes received commands to tmps2.ps1, executes them with PowerShell, and deletes the temporary script, giving defenders concrete lure, persistence, C2, and hash indicators to hunt.