A suspected Konni APT spear-phishing campaign used a malicious LNK file that launches mshta and extracts an embedded PowerShell script into C:\ProgramData. The script connects to 64.20.59.148 on ports 8855 and 6699, downloads a ZIP from Dropbox, and drops obfuscated JavaScript and PowerShell components. Persistence is established through a scheduled task disguised as a Microsoft Edge update task and a Run key under HKCU. The later PowerShell stage uses Google Drive API authentication to upload execution logs, search for operator-provided files, and retrieve additional content, showing a multi-stage data theft and command-delivery workflow.