Genians Security Center links the activity to the Konni APT group and describes a spear-phishing campaign that used a North Korean human-rights lecturer appointment lure to gain initial access. Victims were induced to run a malicious LNK file that launched 32-bit PowerShell, decrypted and opened a decoy PDF from inside the shortcut, downloaded AutoIt components from drfeysal[.]com, and created a scheduled task named APDNHFU for one-minute recurring execution. The follow-on APDNHFU.pdf payload was not a real PDF but an AutoIt container padded with dummy data and identified as EndRAT-like malware, using mutex Global\B073W15Z-D8QD-87B1-7465-CE77A8819E701 and custom socket C2 to 185.21.14[.]249 on port 80. The campaign also abused the victim's KakaoTalk PC session to send malicious files to selected contacts, turning trusted messenger relationships into a second-stage distribution channel. The combination of long-term endpoint persistence, document theft, messenger-session abuse, and account-based propagation makes the activity important for monitoring DPRK-themed social-engineering operations.