Sands Lab analyzed a Konni-linked campaign that used South Korea value-added tax filing themes to lure users into opening a malicious LNK file disguised as a HWP document. The LNK extracted an obfuscated PowerShell script, dropped a decoy document and Byimtb.cab under Public Documents, then used start.vbs and modular batch scripts to hide execution and maintain persistence through the Run registry key. The batch modules collected file listings from Desktop, Downloads, and Documents plus systeminfo output, then attempted to exfiltrate data to sibbss.com and fetch additional payloads from radionaranjalstereo.com. The report notes that syntax and TLS/certificate problems likely prevented some later-stage downloads, but the tooling, upload structure, bundled unzip.exe, and modular batch workflow match known Konni activity. The conclusion frames the activity as reconnaissance or initial access against public-sector finance personnel and says it closely resembles campaigns associated with North Korea's APT37.