Kimsuky used a Windows shortcut disguised as a Korean Ministry of Unification policy meeting HWP document to run heavily obfuscated PowerShell from the LNK file. The script carved embedded executable and VBScript data from the shortcut into the user temp path, then contacted isujeil.co.kr under /pg/adm/img/upload1/list.php?query=1. The recovered VBScript used WMI process creation and a hidden scheduled task that repeated every three hours, giving the operators persistence after the lure executed. The source records MD5, SHA1, and SHA256 hashes for the sample, but the main evidence is the LNK to PowerShell and VBScript execution chain.