The sample is attributed in the source to North Korea's KONNI group and uses a large Windows shortcut disguised as a virtual-asset business inspection and party-government meeting HWP document. The LNK launches obfuscated PowerShell that searches for a PowerShell executable, locates the matching shortcut by size, XOR-decrypts embedded payloads, drops files under C:\Users\Public\Documents, and executes follow-on VBS and batch components. The chain downloads a password-protected ZIP payload from teamfuels[.]com and uses batch and PowerShell upload routines to collect directory listings from Downloads, Documents, Desktop, and system information. Collected data is posted to forum.flasholr-app[.]com, giving operators host and file-inventory context that could support follow-on targeting in cryptocurrency or policy-adjacent environments.