Knownsec 404 analyzed Korean-language CHM samples themed around insurance, securities, finance, and communications bills and assessed that they targeted South Korea. The CHM chain decompiled itself, dropped and executed a JSE script, downloaded alg.exe, and showed code overlap with AhnLab-disclosed activity while adding numeric string encoding and AhnLab anti-virus checks. The final FakeCheck .NET RAT collects disk, host, browser, bookmark, saved-password, and recent-file data into files under C:\Users\Public\Pictures, uploads the data to C2, and executes server-provided commands. Knownsec notes that some researchers linked the activity to APT37, but says the captured samples and TTPs are not directly tied to its known APT37 intelligence and could represent new APT37 tradecraft or another actor using similar CHM techniques.