A suspected Kimsuky LNK sample named 241007.lnk uses a Korean tourism and travel-study lure aimed at Russian-speaking users. The shortcut executes PowerShell, searches for a matching large .lnk file, extracts embedded data into a PDF decoy, and writes a winboot.bat payload under the public Libraries path. It creates a scheduled task named NotepadPlusAutoUpdate to run the batch file every six minutes, supporting persistence through a benign-looking updater name. The batch logic uses curl to download reboot234.bat from hxxps://contactcenter(.)mobilo(.)mx/vicidial/ploticus/mobile(.)php?choko=GYHASOLS, while published hashes and vendor detections support triage of the LNK dropper.