AhnLab ASEC observed Kimsuky changing its malicious LNK distribution chain while still ultimately executing Python-based backdoors or downloaders. Recent LNK lures such as resume and data backup guide files create hidden components under C:\windirr, then use XML Task Scheduler entries, VBS, PowerShell, BAT files, Dropbox, and staged ZIP downloads before running beauty.py. The Python backdoor connects to 45.95.186[.]232:8080, sends a “HAPPY” infection signal, and uses a custom magic-byte protocol for shell execution, drive and directory listing, file transfer, deletion, and launching BAT/VBS/EXE files. AhnLab links the activity to Kimsuky through similar scheduler names, sch_*.db XML task files, reused decoys, and the group’s pattern of disguising LNK files as documents to evade user suspicion and detection.