: Typically delivered via phishing emails containing a link to a compromised website or a direct download of the ZIP file [2, 5].

: The PowerShell script connects to a Command and Control (C2) server to download additional malware, often MASEPIE or OCEANLOOS [2, 4].

The following analysis covers the technical details of the file and the "Winter Vivern" campaigns associated with it.

: Ensure EDR (Endpoint Detection and Response) tools are configured to flag suspicious PowerShell execution originating from LNK files [4].