Kimsuky is linked in the excerpt to a malicious LNK file disguised as a subsidy-application inquiry document, with SHA-256 24a0124e2e38407f2062dc2bfb0bd474413a10d80ef8e1913ecfa699d962229f. The LNK invokes mshta.exe and obfuscated script content to run PowerShell with execution-policy bypass, connect to 64.49.14.181 on port 8014, and receive Base64-encoded data. The decoded content is written as c:\programdata\t.zip, extracted into ProgramData, and followed by execution of s.vbs and a service-control command intended to continue the chain. The author notes the same C2 infrastructure appeared in the earlier Upbit-themed sample and that, at the time of testing, only t.zip was created because the server no longer completed the next stage.