A Kimsuky-linked LNK file masquerades as a Korean PDF addressed to an executive associated with Blocore and Gameberry, suggesting targeting of technology-sector leadership. The shortcut contains AES-encrypted data and embedded PowerShell that decrypts a script, writes home.ps1 in the temporary directory, and runs it hidden with ExecutionPolicy Bypass. The decrypted script downloads a decoy PDF from a compromised koreaauditor.org path, contacts tony.php endpoints, retrieves error_log.ps1 into Public Documents, and creates a hidden VBS launcher. Persistence is established through a scheduled task named MicrosoftEdgeUpdateTaskCleaner that runs cscript.exe every 30 minutes, making the lure and infrastructure useful indicators for DPRK-focused intrusion tracking.