AhnLab ASEC identified two CHM malware variants circulating in South Korea: one using anti-sandbox checks and another designed to avoid execution on consumer V3Lite systems while targeting enterprise environments. The anti-sandbox variant drops a malicious VBE only after checking the TEMP folder file count and confirming the expected DLL-hijacking process name, then registers itself under the Windows Run key. The enterprise-targeted variant creates and runs chmext.exe under ProgramData and exits if the V3Lite process is present, indicating selective execution against non-consumer environments. The report highlights CHM-based delivery, DLL hijacking, ReVBShell execution and environment-aware evasion as practical obstacles for sandbox analysis and endpoint detection.