IIJ analyzed malware delivered by an LNK file uploaded from Korea and found extensive overlap with a Kimsuky campaign previously reported by AhnLab ASEC. When opened, the LNK extracted XOR-decoded components into C:\PerfLog, deployed www.ps1 and 17.vbs, and created a scheduled task named P using schtasks.exe for persistence. The PowerShell malware generated a client ID from the host MAC address, collected domain, username, OS, process, and public IP information, and uploaded the data to an attacker-controlled Dropbox folder through hardcoded Dropbox API credentials. It then checked Dropbox for a victim-specific follow-on batch file, suggesting operators reviewed collected host data before staging next payloads such as a RAT. The report highlights continued abuse of legitimate services such as Dropbox and GitHub by North Korea-linked APT activity and provides hashes and file paths for detection.