The report examines three malicious LNK files attributed to Kimsuky spear-phishing activity and groups them into two types based on C2 ports, filenames, and Google Drive details. The LNK files masquerade as .docx or .eml documents with Microsoft Word or Outlook icons and use mshta.exe to execute malicious JavaScript and PowerShell. The attack chain uses Dropbox and Google Drive to download reconnaissance code, collect and upload system information, then install a PowerShell backdoor with persistence through Run registry keys and scheduled tasks. Follow-on tooling includes PebbleDash and RDP Wrapper to enable remote control, remote execution, and additional malicious activity.