The Korean analysis attributes a tax-collection correction request-themed `.hwp.lnk` sample to Konni APT, a North Korean-linked group described as targeting government and organizational victims in South Korea and the United States. The LNK command searches for PowerShell, runs obfuscated script logic, XOR-decrypts embedded content with keys including `0x2B` and `0x72`, extracts a CAB payload, launches a VBS script from `C:\Users\Public\Documents`, and removes artifacts to hinder analysis. Follow-on batch activity collects file listings from Downloads, Documents, and Desktop along with system information, then uploads the results to `subscheme.info` with host-specific filenames. The excerpt identifies persistence and staging artifacts such as `start.vbs`, `elsewhere.cab`, `rshell.exe`, and upload/list PHP paths, showing an intrusion chain focused on reconnaissance, file discovery, and data exfiltration from Korean victims.