The Kimsuky Group has recently modified its tactics for distributing malicious LNK files, which are designed to execute a Python-based backdoor or downloader. While the overall attack flow remains consistent, a notable structural change in the intermediate execution phase has occurred. The new workflow involves a sequence where a PowerShell script executed from the LNK file downloads a BAT file, which subsequently triggers the download of a ZIP file containing a Python script, an interpreter, and an XML task scheduler.