A malicious LNK sample shared on X with a Kimsuky tag used a DOCX icon lure and embedded an mshta.exe command, though the author cautions against relying heavily on the group label. LECmd analysis showed the shortcut extracting data from offset 0x0938 into c:\programdata\n.ps1 and launching it with PowerShell execution-policy bypass. The dropped PowerShell script used reversed string indexing and base64-encoded content before attempting to download payloads from Dropbox and a C2 server into c:\programdata\gs.zip, c:\programdata\k.zip, and c:\programdata\tmps2.ps1. The unavailable remote payloads limited final-stage analysis, but decoded behavior indicated persistence through Run registry modification and scheduled task creation, with useful artifacts including SHA256 hashes, file paths, Machine ID, MAC address, and SID values from the LNK.