A Kimsuky-linked LNK malware sample used a lure titled “Global Complex Crisis, Korea’s Security Strategy” and presented an HWP document tied to a Seoul National University security-strategy event. The shortcut launches hidden PowerShell, searches for a 56,397-byte LNK file, extracts an embedded 50,688-byte HWP payload from offset 5709, writes and opens it, then deletes the original shortcut. The script also decodes a base64 string and repeatedly executes it with Invoke-Expression, enabling follow-on download, command execution, or C2 behavior as described by the source. Reported indicators include the LNK filename, file size, MD5, SHA-1, SHA-256, and an icon URL hosted on raw.githubusercontent.com. The activity is relevant because it shows Kimsuky continuing to use Korea-focused policy and academic themes with LNK-to-PowerShell execution chains.