AhnLab reports Korean-targeted malware distributed in archives that pair password-protected legitimate documents with files masquerading as password information. One CHM variant is assessed as likely tied to RedEyes/APT37/ScarCruft because it reuses commands seen in the group’s M2RAT persistence flow, launching mshta to fetch scripts and register Run-key persistence. The CHM samples contact infrastructure such as shacc.kr and 141.105.65.165 to receive commands and return Base64-encoded results, while a separate LNK variant drops a password text file and VBS script that retrieves additional code from hondes.getenjoyment.net. The report highlights continued abuse of CHM and LNK lures to make victims open malicious helper files alongside benign documents.