A Konni-linked LNK sample masqueraded as a 2024 year-end tax settlement guide document and embedded heavily obfuscated PowerShell in the shortcut command line. The script searched for a PowerShell executable, extracted and XOR-decrypted payload data from the LNK, executed the recovered payload, created a CAB archive, expanded files into a public documents path, and deleted staging files. Follow-on batch scripts downloaded a ZIP from acschoolcatering.com, unpacked and ran additional content, collected file listings from Downloads, Documents, and Desktop along with system information, and uploaded the data to roofcolor.com over HTTP POST. The excerpt lists hashes for the LNK sample and shows infrastructure including acschoolcatering.com and roofcolor.com, making the activity useful for tracking Konni tradecraft around document-themed LNK delivery, payload staging, and host reconnaissance.