A Korean-language analysis attributes a malicious Windows CHM help file named confirmation.chm to Kimsuky and describes it as disguised as a financial transaction confirmation document. The file executes openCI.vbs from C:\Users\Public\Libraries, shows a decoy image to the user, and uses batch scripts to register persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. The scripts collect system information, process listings, and Desktop and Downloads directory listings, then send staged data to hxxps://nasweir[.]com and request additional content through an out.php endpoint using the Base64-encoded computer name. The excerpt provides hashes for the CHM sample, including SHA-256 e6bcdb402999f6f35351c0b9a1be84345aea88c3f662ba27341d7857aeb8cc39, making the case useful for detecting Kimsuky CHM lures and script-based Windows staging.