ESRC describes a Konni-attributed phishing campaign impersonating South Korea’s Fair Trade Commission with emails titled as advance notice of a written fact-finding survey. The attached ZIP contained decoy PDF material and LNK files masquerading as HWP documents; executing the shortcuts displayed benign documents while dropping VBS and CAB components into the Public folder. The malware established Run-key persistence, downloaded additional CAB content, executed batch and VBS scripts, and collected process lists, host information, downloads and desktop listings, and public IP data for upload to attacker infrastructure. Reported infrastructure included expressionkey[.]com and naver.down-files[.]com, with hashes for the malicious attachments supplied as IOCs.