ASEC describes an information-stealing malware campaign delivered through CHM files that impersonated Korean financial firms and insurers around billing dates likely to make recipients trust the lures. The CHM execution chain used hh.exe to open the help file, decompiled content to C:\Users\Public\Libraries, ran Docs.jse with wscript, registered persistence, and launched command-line/PowerShell activity to retrieve alg.exe. EDR telemetry showed the downloaded stealer collecting PC, directory, and browser information, compressing stolen data under Public\Pictures, and transmitting it to an attacker-controlled server. The report provides hashes, detection names, and multiple download URLs associated with the CHM dropper and infostealer stages.