QiAnXin reports Konni activity delivering AutoIt malware to likely South Korean cryptocurrency-sector targets using lures themed around virtual-asset regulation and legal documents. The ZIP package contains a normal decoy document and a document-disguised LNK file; when opened, the LNK runs PowerShell, extracts a decoy and CAB data, and launches VBS and BAT scripts from the Public Documents directory. The scripts establish persistence through registry Run and Startup-folder changes, collect file listings and system information, encrypt URL parameters and uploads with RC4 keyed by timestamps, and communicate with infrastructure such as settlors.com. A later ZIP from the C2 deploys a compiled AutoIt script that gathers administrator status, OS version, antivirus names including Korean products, username, and hostname, then polls C2 for tasks that can download and execute EXE, DLL, BAT, PowerShell, or VBS payloads. The report links the activity to Konni based on LNK traits and malware behavior while noting prior reporting that connects Konni with APT37 and Kimsuky-related tracking.