AhnLab describes a May 2023 Kimsuky campaign that increasingly used CHM help files rather than ordinary document lures, with themes tailored to Korean targets such as tax filings, financial transactions, cryptocurrency records, contracts, certificates, and order sheets. The CHM files displayed normal-looking help windows while embedded script commands wrote encoded data under the user Links folder, decoded VBS/BAT components with certutil, registered persistence in the Run key, and launched a runner chain. The downloaded BAT and CAB components collected user information, sent it with the computer name to hxxp://vndjgheruewy1[.]com/uun06/uwpp.php, and repeatedly checked for target-specific additional payloads named with the infected PC name. The activity shows Kimsuky using stolen personal information and selective follow-on malware delivery to make CHM-based APT attacks more targeted.