The Korean write-up attributes a tax-themed malware lure to Kimsuky and assesses that it was likely intended for email delivery to victims. The archive contained decoy HWP tax documents and a key HWP-themed LNK file that ran obfuscated PowerShell, searched for a marker-sized shortcut, decoded embedded bytes with XOR, executed the extracted payload, and removed the shortcut artifact. The follow-on command copied curl.exe and schtasks.exe into C:\Users\Public\Videos under renamed filenames, downloaded AutoIt3.exe and a CDR payload from thegreatratings[.]com, and created a scheduled task named CfjiFUW to run every minute. The lure abused South Korean tax and undeclared-funds documentation themes, making it relevant to DPRK tracking of Kimsuky social engineering against Korean-language targets.