AhnLab ASEC reported malicious Windows HTML Help files distributed to domestic Korean users under the guise of COVID-19 confirmation and cohabitant guidance notices. Opening the CHM displays a decoy coronavirus notice while embedded script commands decompile content to c:\programdata\chmtemp and execute chmext.exe through hh.exe. ASEC links chmext.exe to the same type of payload seen in earlier malicious Word-document activity, with the dropped IntelRST.exe using process checks, Run-key persistence, UAC bypass, and Windows Defender exclusion behavior. The malware attempts to reach dl.dropboxusercontent[.]com/s/k288s9tu2o53v41/zs_url.txt?dl=0 to retrieve an additional URL for follow-on activity, though the URL was unavailable at analysis time.