A spear-phishing campaign targeted South Korean organizations related to North Korea by impersonating a cyber safety bureau email and attaching a ZIP archive containing a malicious CHM help file. Opening the CHM displayed legitimate-looking legal content while embedded script dropped and decoded Document.dat/Document.vbs, added a Run key for persistence, and executed PowerShell to retrieve additional code from attacker infrastructure. The downloaded script created a mutex, captured keystrokes and screenshots, and sent stolen data to C2 paths under ibsq.co.kr, with hashes and URLs supplied as supporting indicators.