A Korean write-up analyzes malware attributed by the author to the North Korean Konni group and disguised as an Upbit-related document package. The attack uses a ZIP archive containing a malicious LNK named like a personal-information consent DOCX file and a decoy mail-reference file; opening the LNK launches heavily obfuscated PowerShell. The script extracts embedded data from the shortcut, writes a DOCX and a CAB file under public locations, expands the archive, runs VBS and batch components, and proceeds with follow-on execution and cleanup. The evidence supports Konni-linked cryptocurrency-themed social engineering and a PowerShell/LNK delivery chain rather than a broader claim about confirmed theft.