Konni used a Korean National Tax Service themed ZIP lure that presented HWP decoy documents while hiding a malicious shortcut and script chain. The LNK ran PowerShell that searched for the shortcut, extracted XOR encoded data from it, wrote and launched payload files, then staged VBScript and batch files under C:\Users\Public\Documents. The batch logic added a Run key named svchostno2 for start.vbs persistence and repeatedly contacted ttzcloud[.]com to download a CAB payload. The source ties Konni to North Korean activity and notes overlap or possible association with Thallium, APT37, and Kimsuky, while providing hashes for the ZIP and HWP files.