A Kimsuky-attributed RAR archive used a Korean Embassy in China policy-meeting theme to lure likely embassy or policy-related personnel into running a shortcut file disguised with an HWP-style document icon. The LNK launches hidden PowerShell, extracts embedded content, deletes the original shortcut, contacts Dropbox via API credentials, downloads /step5/ps.bin, AES-decrypts it with a hardcoded password, and executes the resulting script. The lure document impersonates a private Korea-China and North Korea-China security policy meeting plan, supporting the social-engineering angle against diplomatic or government-linked targets. The excerpt provides file hashes for the RAR, LNK, and generated artifact, a Google Drive delivery URL, a Dropbox download path, and antivirus detections including LNK/Kimsuky and Powecod-style behavior.