Konni is linked to a malicious Windows shortcut disguised as a KISA notification PDF that appears designed to exploit public concern around a recent SK Telecom breach. The shortcut abuses mshta.exe to run obfuscated JavaScript that launches PowerShell, writes temporary files under ProgramData, and establishes a reverse-shell style loop. The PowerShell logic connects to 64.20.59.148 on port 7711, sends an infection identifier, receives one-line commands, saves them as a temporary script, executes them, deletes the script, and repeats every 20 seconds. The write-up notes the same IP was used in an earlier Konni impersonation case, making the infrastructure and LNK tradecraft useful for defenders tracking repeated DPRK-linked social-engineering operations.