A Korean analysis describes a Lazarus-attributed ZIP lure aimed at people seeking U.S. Forces Korea employment, disguised as instructions for the Multi National Recruitment System job site. The archive contained decoy PDF material and an LNK file masquerading with a Microsoft Edge icon; the shortcut launched cmd.exe and PowerShell with input redirected from Thumbs.db. Decoded PowerShell downloaded lsasetup.tmp and winrar.exe from jkmusic.co.kr, created scheduled tasks named zuzip and zconshost, and extracted a password-protected payload into ProgramData. The source provides representative hashes for the ZIP and embedded documents, making the lure chain, PowerShell download stage, and persistence commands the key defensive evidence.