The source analyzes a Konni-attributed LNK malware sample disguised as a Hangul document named like a funds source statement. Its embedded PowerShell searches for a specifically sized .lnk file, extracts XOR-decoded payload data from offsets in that file, writes a CAB file under the Public documents path, expands it, and launches a VBS script. Follow-on batch scripts enumerate the user's Downloads, Documents, Desktop, and system information into text files for collection. The stealer logic encrypts local files with an RC4 implementation using a time-derived key, Base64-encodes the result, and POSTs it with a browser-like user agent. The exfiltration endpoint is hxxps://24hrkpop(.)com/wp-includes/js/src/lib/upload(.)php, and the source says the Korean K-pop website was compromised to support malware distribution.