A Konni-themed intrusion used a ZIP lure impersonating a Bithumb cryptocurrency-exchange information update request tied to financial-authority project reporting. The archive contained a decoy PDF and a large Windows shortcut disguised as an Excel file, with the LNK embedding obfuscated PowerShell that extracts XOR-encoded payload data into Public Documents. The execution chain creates and runs VBS and batch scripts, collects file listings from Downloads, Documents, and Desktop plus system information, and uploads the results to hxxp://shutss(.)com/upload(.)php. The source links Konni to North Korean activity including Thallium/APT37 and possible Kimsuky overlap, while noting this specific lure appears aimed at cryptocurrency-related targets and lists infrastructure including shutss(.)com and thevintagegarage(.)com.