Kimsuky is reported to have evolved its malicious LNK delivery by disguising shortcut files as HWP documents and adding XML, VBS, PowerShell, BAT, ZIP, and Python stages before final malware execution. Recent samples create a hidden C:\windirr directory, drop decoy documents, register XML-based scheduled tasks such as GoogleUpdateTaskMachineCGI__{56C6A980–91A1–4DB2–9812–5158E7E97388}, and run staged scripts on a recurring schedule. The chain abuses Dropbox both to exfiltrate host information under filenames containing the user domain and date and to retrieve additional components that unpack into C:\winii. The final Python backdoor beacons to 45.95.186[.]232:8080 with the string HAPPY and supports shell execution, drive enumeration, file upload and download, file deletion with overwrite, and execution of EXE, BAT, and VBS files.