The source analyzes a Korean-language CHM malware sample assessed by the author as likely Kimsuky activity, disguised as real-estate registration information and a registration completion notice. The CHM launches VBScript that starts a hidden batch file, registers a scheduled task named SafeBrowsing, and repeatedly executes supporting VBS and BAT components for persistence. The scripts contact niscarea.com with the victim computer name Base64-encoded in a query string, then use PowerShell and staged batch logic to download and run additional payloads from a ZIP workflow. Representative hashes include MD5 f35b05779e9538cec363ca37ab38e287 and SHA-256 da79eea1198a1a10e2ffd50fd949521632d8f252fb1aadb57a45218482b9fd89.