A Kimsuky linked archive used a highway construction invoice theme and hid an LNK file behind a BMP filename, "Do-yang Company 20240610 invoice cover.bmp.lnk". The shortcut runs hidden PowerShell, decodes a Base64 command, downloads a decoy BMP from Dropbox, and writes chrome.ps1 under AppData. It then registers a hidden scheduled task named ChromeUpdateCoreTaskMachineKOR to run the script every 30 minutes and fetches additional PowerShell payloads from Dropbox before deleting them. The report publishes hashes for both the ZIP and LNK, including SHA-256 44ff60d352169f280801cf2075295aab0a6151ff8f77b66d16c82776efce7fea, useful for detecting invoice themed Kimsuky LNK delivery.