AhnLab observed malicious Windows LNK files disguised as resumes that show a benign decoy document while creating batch, PowerShell, and VBScript files under public user directories. The chain registers an `office365` scheduled task to run every 10 minutes, downloads additional components with `curl`, decodes a second PowerShell script, and creates startup persistence through a `MicrosoftBing.lnk` shortcut. The malware abuses `ProximityUxHost.exe` and `ProximityCommon.dll` for DLL side-loading, then injects the Xctdoor backdoor payload stored as `settings.dat` and attempts C2 communication. The report does not publish the download URL or C2 indicator in the public body.