A Konni-attributed campaign used a malicious LNK disguised as a Korean VAT payment notice form with an HWP-style filename and icon. The LNK runs obfuscated PowerShell, searches for the embedded shortcut by size, extracts XOR-encoded payload data, expands a CAB archive into the Public Documents path, and executes follow-on scripts. The infection chain downloads a password-protected ZIP from deliberatecollaboration.com, unpacks batch files, and repeatedly attempts execution while deleting temporary files and other traces. The payload collects file listings from Downloads, Documents, and Desktop along with system information, then encrypts the collected text and uploads it by HTTP POST, supporting reconnaissance and information theft from infected Windows systems.