S2W TALON analyzed LINKON malware associated with the North Korea-backed KONNI group, delivered as an LNK file disguised as a South Korean Financial Services Commission virtual-asset inspection document. The January 2025 sample used PowerShell to drop and execute a decoy document alongside embedded malicious files, hiding execution from the user. KONNVBS and KONNBAT scripts maintained persistence through Windows Task Scheduler or downloaded additional components from a hardcoded attacker-controlled server. The lure theme suggests targeting of virtual asset businesses after the December 2024 Anti-Money Laundering Inspection Trustee Council meeting.