Windows platform components — specifically LNK file handling, PowerShell, scheduled tasks, and DLL loading — are the primary execution environment for the Kimsuky and ScarCruft campaigns abusing GitHub and Dropbox as C2 channels. No CVEs are involved; the attack surface is entirely behavioral, exploiting living-off-the-land techniques and legitimate platform trust rather than unpatched vulnerabilities. Defensive priority should focus on enabling PowerShell Script Block Logging (Event ID 4104), monitoring for LNK-spawned interpreter processes, and restricting outbound API access to GitHub and Dropbox from endpoints without documented business justification.