AhnLab observed malicious Windows Help files distributed to South Korean users inside compressed email attachments alongside document files, with CHM execution triggering hidden script creation and follow-on download activity. The CHM files displayed legitimate-looking help content while using embedded HTML shortcut execution to write Document.dat and Document.vbs under the user profile Links directory. The VBS payload established persistence through HKCU Run and used PowerShell to download advupdate.exe from attacker-controlled URLs, although the currently fetched file was described as benign at analysis time. Related archive names and lures included court submission materials, contracts, wages, and game-server development help content, with infrastructure such as encorpost.com, nhn-games.com, sktelecom.help, and want-helper.com. The excerpt does not support DPRK attribution, but it documents an APT-style delivery chain abusing CHM files, social engineering, persistence, and staged executable download.