ENKI links a set of VirusTotal-hunted LNK samples to Konni activity associated with North Korean operations and describes a multi-stage infection chain ending in an AsyncRAT variant. The LNK files extract and execute obfuscated PowerShell from embedded data, then retrieve additional JavaScript and PowerShell payloads through Dropbox, C2 servers, and Google Drive. The chain establishes persistence through scheduled tasks and HKCU Run keys, creates infection logs in an attacker-controlled Google Drive, and appears to use file polling or manual staging to deliver follow-on payloads. The final AsyncRAT resembles previously reported Konni-linked AsyncRAT code but receives its C2 IP and port as runtime arguments rather than relying only on hardcoded configuration, with 206.206.127[.]152 observed in the analyzed activity.