Konni activity is described using a KB Kookmin Bank foreign-exchange transaction explanation lure that delivers a malicious LNK named like an HWP document. The LNK runs obfuscated PowerShell to locate a specific-size LNK, decrypt embedded data with single-byte XOR keys, write a CAB file under Public Documents, expand it, and execute follow-on scripts. The batch/VBS chain establishes persistence through the HKCU Run key, downloads additional payloads from a WordPress path on rayanlynch.com, and can retrieve host-specific CAB content based on the computer name. The malware also collects directory listings from Downloads, Documents, and Desktop plus systeminfo output, then uploads the results to an external PHP endpoint, making the campaign relevant for Korean users handling banking or foreign-exchange documents.