A Korean malware analysis attributes a malicious shortcut file themed as an undeclared funding-source explanation notice to Kimsuky activity against South Korean users. The LNK launches obfuscated PowerShell that searches for a 35,265-byte shortcut, extracts 18,432 bytes from offset 0x18CC, XOR-decodes the embedded payload with key 0x99, writes and executes it, then deletes the original shortcut. The follow-on command chain copies curl.exe and schtasks.exe into C:\Users\Public\Documents under renamed filenames, downloads AutoIt3.exe and PpkuFag.cdr from m2view.com.py under /wp-admin/js/widgets/hurryup/, and creates a scheduled task named PpkuFag to run every minute. The report provides hashes for the LNK and shows persistence and payload retrieval implemented through renamed legitimate Windows utilities and AutoIt execution.