A Konni-attributed LNK masquerades as a Korean HWP notice about appointing external evaluators for virtual assets. The shortcut runs PowerShell through rshell.exe, searches for a specific-size LNK, extracts embedded payloads from fixed offsets, XOR-decodes them with keys including 0x71 and 0x70, executes the recovered file, unpacks agenda.cab, and deletes artifacts. Follow-on batch scripts register start.vbs under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, download a password-protected ZIP from a seacura.com WordPress path, unpack and execute 1.bat, and collect directory listings from user folders. The virtual-asset lure and downloader behavior make the activity relevant to Korean cryptocurrency and financial-sector targeting.