Kimsuky is assessed to have distributed malicious `.pdf.lnk` files disguised as a resume and North Korea policy documents, using a multi-stage PowerShell chain to collect host information and exfiltrate it. The infection saves and runs `firefox.ps1`, establishes persistence with a Microsoft Edge-themed scheduled task, deploys `facebook.ps1` as a recurring downloader, and executes `news.ps1` as the final information-stealing payload. The campaign abuses GitLab rather than previously observed GitHub infrastructure, using GitLab-hosted encrypted payload files and the GitLab API to upload AES-256-encrypted victim data. ESRC lists two LNK MD5 hashes and two GitLab repository URLs as indicators.