A Kimsuky-linked LNK file named 20241003_20134.docx.lnk is analyzed as a Windows shortcut lure that abuses mshta.exe to launch obfuscated JavaScript and PowerShell. The script connects to 206.206.127.152 on port 9002, stages a ZIP under C:\ProgramData, expands it, runs s.vbs, and deletes temporary artifacts. Decoded VBS content shows persistence through a one-minute scheduled task and a Run registry entry, while later PowerShell code connects to 206.206.127.152 on port 7031 to receive and execute remote commands from a temporary script. The published hashes and staging paths give defenders concrete indicators for hunting Kimsuky shortcut-based delivery and post-execution persistence.