A Kimsuky-linked test.zip sample is described as a Cobalt Strike-related malware package that uses a Windows shortcut file to disguise execution as a document. The LNK uses a WordPad icon and launches hidden PowerShell that searches for a same-directory shortcut of exactly 395,530 bytes, reads its embedded data, writes a temporary ZIP from offset 3,412, expands it, deletes the temporary archive, and runs svchost.exe. The dropped svchost.exe payload is reported at 367,019,008 bytes, with hashes provided, and the malware references hxxp://c-csigns(.)com:443/686c6c647a_B(.)gif. Vendor detections identify the file as LNK dropper or Kimsuky-related malware, supporting detection opportunities around document-themed LNK lures, embedded archive extraction, hidden PowerShell, and masqueraded svchost execution.