AhnLab reported renewed distribution of CHM malware believed to be associated with RedEyes/ScarCruft, using public concern over Fukushima contaminated-water discharge as the lure. Unlike earlier variants that launched mshta directly from the CHM help file, this sample registered a Run key command so the mshta chain would execute after reboot. The decoded PowerShell acted as a backdoor that contacted navercorp[.]ru paths for command retrieval and Base64-encoded result reporting. Documented commands covered file inventory and upload, directory compression and exfiltration, file download, scheduled-task registration, archive extraction, and file renaming, enabling follow-on payload delivery and information theft.