AhnLab ASEC reported a shift in Kimsuky’s malicious LNK delivery method for Python-based backdoors and downloaders. The newer chain uses document-themed LNK lures, hidden files under C:\windirr, XML Task Scheduler entries, VBS and PowerShell scripts, Dropbox-based staging, and split ZIP downloads that unpack a Python backdoor to C:\winii. The backdoor communicates with 45.95.186[.]232:8080, signals infection with “HAPPY,” and supports operator commands for shell execution, drive checks, directory listing, file upload and download, secure deletion, and launching executable or script files. AhnLab cites overlaps with prior Kimsuky tradecraft, including similar GoogleUpdate-style task names, sch_*.db scheduler XML files, and reused decoy documents, showing continued adaptation of the same LNK-based infection model.