A Kimsuky-attributed lure used a Korean insurance-themed Windows shortcut named as a PDF for a 2024 GA sales-branch allocation document. The LNK executed Base64-decoded PowerShell that downloaded and opened a decoy PDF from Dropbox, then wrote chrome.ps1 under AppData for follow-on execution. Persistence was established through a hidden scheduled task named ChromeUpdateTaskMachine that ran PowerShell with ExecutionPolicy Bypass five minutes later and repeated every 30 minutes. The script also downloaded additional PowerShell payloads such as temp.ps1 and system_first.ps1 from Dropbox, executed them, and removed files afterward, giving defenders concrete LNK, PowerShell, Dropbox, AppData, and scheduled-task artifacts to hunt.