The Korean analysis attributes an electronic tax invoice-themed malware campaign to Kimsuky, using a disguised Windows shortcut named like a PDF invoice to execute hidden PowerShell. The LNK contains Base64-encoded script logic that writes and runs main.ps1 from the temporary directory while bypassing execution policy and hiding the PowerShell window. The infection chain abuses GitHub raw content and the GitHub API with a Personal Access Token to download payloads, upload Base64-encoded victim data, and use attacker-controlled repositories as command-and-control storage. Persistence is established through scheduled tasks with legitimate-looking names such as BitLocker MDM policy refresh or MicrosoftEdgeUpdate, with periodic execution and cleanup of files such as main.ps1, temporary.ps1, real.txt, and first.txt. Collected data includes system information, boot time, OS details, process listings, device type, IP-derived filenames, and files staged under AppData\Microsoft before upload to GitHub.