ASEC reported a CHM malware campaign against Korean users that resembles earlier Kimsuky-linked LNK, DOC, OneNote, and CHM activity. Opening the CHM displays a help file while a hidden script creates %USERPROFILE%\Links\Link.ini, reaches bootservice.php?query=1, and runs a Base64-encoded script that collects system, file, process, and anti-malware information. The malware registers an OfficeUpdater INI script as a service scheduled every 60 minutes, then retrieves another fileless script from bootservice.php?query=6. A later PowerShell stage at loggerservice.php?idx=5 performs keylogging, stores keystrokes and clipboard data in Office_Config.xml under the Templates folder, sends the data to the actor, and deletes the file after upload.