APT-Konni related activity against South Korean targets used Korean language CHM and LNK document lures to execute hidden script chains. The CHM example embeds an ActiveX object that writes Base64 content, decodes it with certutil into a VBS file, adds a Run key, and launches PowerShell to fetch remote code. A second HWP themed LNK lure searches for an embedded payload, writes it to disk, copies curl.exe as VezoQcO.exe, downloads AutoIt3.exe and an AU3 script from cavasa[.]com[.]co, and creates a scheduled task for minute by minute persistence. The source treats SUSU attribution as uncertain while tying the observed tradecraft to Konni and possible APT37 related activity.