Kimsuky is reported as using a CHM lure titled around North Korea's nuclear threat and South Korea's response, presented as if it were written by a North Korea strategy researcher. The CHM contains an ActiveX shortcut object that runs cmd commands to write Base64 data under the user's Links folder, decode it with certutil into a VBS file, and add a Run key for persistence. The dropped VBS uses Microsoft.XMLHTTP to fetch and execute code from 00701111.000webhostapp.com/wp-extra/show.php?query=50. The source includes hashes for both the CHM and VBS and assesses the targeting as likely aimed at people involved in North Korea-related work.