AhnLab observed malicious LNK files distributed as secure email from a well-known Korean card company, with a flow similar to earlier Kimsuky password-file lure activity but with changed initial commands. The LNK launches PowerShell and `mshta` to run an HTA containing obfuscated VBScript, drops a decoy document, and then changes its follow-on behavior depending on whether Windows Defender is running. In Defender-enabled environments it downloads and decrypts `pipe.log` into `pipe.zip`, which contains components for backdoor activity, information theft, keylogging, and clipboard collection. When Defender is stopped, it downloads `user.txt` and `sys.log`, decrypts and loads `sys.dll` with `rundll32`, avoids VirtualBox and VMware, and retrieves additional payloads from Google Drive. The payload set includes remote command execution, file transfer, host and browser data collection, MeshAgent configuration retrieval, Chrome process injection for cookie theft, and theft of browser and email-client credentials.