IIJ observed a malicious LNK file likely used against Korean users that executed MoonPeak, a XenoRAT variant attributed in the source to DPRK-linked activity. The lure opened a Korean investment-themed decoy PDF while hidden PowerShell checked for analysis tools, created a scheduled task for persistence, and sent host, domain, OS, and process data to mid.great-site.net. A second-stage script retrieved files from the GitHub repository macsim-gun/FinalDocu, converted octobor.docx into GZIP data, and loaded the ConfuserEx-obfuscated MoonPeak payload Stella.exe in memory. The activity shows continued use of trusted hosting such as GitHub and infrastructure patterns overlapping previously reported MoonPeak campaigns.