The excerpt attributes a malicious LNK file themed around virtual asset service provider anti-money-laundering supervision to the North Korea-linked Konni group. The file, identified by SHA-256 4a6c23e76524364fe9b9f5ecd46dc73e7714cac93849a380f0d1b746fae3650d, disguises itself as an HWP-related shortcut while embedding obfuscated PowerShell. The script searches for PowerShell, locates a specially sized LNK file, extracts XOR-encoded payloads from fixed offsets, writes them under Public Documents, expands a CAB archive, deletes staging artifacts, and runs start.vbs. Follow-on batch scripts establish persistence through the HKCU Run key, download an encrypted ZIP from vetilministry.com, collect directory listings and system information, and upload the data to kerkenraad.com. The behavior shows a Konni-themed initial-access and staging chain combining LNK payload hiding, PowerShell and VBScript execution, persistence, downloader activity, and host reconnaissance.