ASEC observed malicious CHM files distributed in South Korea with filenames tailored to national institution administrators and university professors, including electronic attendance and faculty workload manual themes. The CHM script decompiled and ran ImagingDevices.exe to side-load a malicious DLL, which dropped a VBE ReVBShell backdoor capable of contacting C2 and executing attacker commands while avoiding activity when ESET Security was detected. Follow-on payloads masqueraded as Hancom Office and KakaoTalk processes, including HimTraylcon.exe as a backdoor, KaKaoTalk.exe as BrowserPasswordDump, and HNetComAgent.exe as a keylogger writing encoded logs under C:\Windows\Tasks. Reported infrastructure included formsgle.freedynamicdns[.]net:8080, finance.my-homeip[.]com:443, and hxxps://92.38.135[.]212/fuat/HimTraylcon.exe, showing a phishing-to-backdoor chain aimed at credential theft and further compromise.