ASEC reports malicious LNK files distributed to Korean users under notice-themed names such as local tax bill and sex-offender information PDFs. Execution downloads and runs an HTA from attacker infrastructure, which contains a ZIP archive and bait PDF; the ZIP holds VBS and Base64-encoded PowerShell components. The decoded scripts collect system information, browser credentials and extension data, cryptocurrency wallet extension files, GPKI and NPKI certificate data, recent-file shortcut targets, and clipboard/keylogging data, while also supporting attacker commands, file upload, download, and Run key persistence. The distribution URL impersonates a Korean portal domain, and the collection of Naver Whale, public-certificate, and Korean administrative-signature data supports the report’s assessment that Korean users were targeted.