The analysis covers a Windows LNK sample whose TTPs are assessed by the author as consistent with Kimsuky or another DPRK-based actor. The shortcut uses mshta.exe and JavaScript arguments to reach 64.49.14.181, retrieve a Base64-encoded ZIP, write it as C:\ProgramData\t.zip, extract it, and run s.vbs. The VBScript uses obfuscation and a Caesar-style decoding routine, creates a scheduled task disguised as an Edge update, and opens a decoy DOCX from ProgramData. Later stages add Run-key persistence for a VBS file and execute PowerShell against C:\ProgramData\xM578.tmp, giving defenders concrete Windows persistence and staging behaviors to hunt.