AhnLab ASEC reported CHM malware assessed as Kimsuky activity, distributed in password-protected archives after the recipient responded to an email posing as a North Korea-related interview request. Running the CHM opened a decoy questionnaire while a Shortcut object executed commands that wrote an encoded payload to Document.dat, decoded it with certutil into Document.vbs, and registered the script under the HKCU Run key for persistence. Document.vbs attempted to load a PowerShell script from mpevalr.ria[.]monster and the recovered script performed keylogging, clipboard collection, and exfiltration to /SmtInfo/show.php. The activity matches previously reported Kimsuky CHM and document-based phishing tradecraft, with representative hashes and the mpevalr.ria[.]monster URLs provided as indicators.