Norfolk Infosec analyzed a malicious helpsvc.sys component from a DPRK-affiliated campaign targeting security researchers, likely delivered through a watering-hole route rather than the earlier Visual Studio social-engineering chain. The file behaves like a service DLL and attempts to read hidden payload data from HKLM\Software\Microsoft\Windows\CurrentVersion\KernelConfig values named SubVersion and Description. Recovered registry data enabled a second-stage executable to run, dynamically resolve Windows APIs, communicate with C2 servers over OpenSSL, and store data under HKLM\Software\Microsoft\Windows\CurrentVersion\DriverConfig. The decoded C2 endpoints included colasprint.com, dronerc.it, and fabioluciani.com paths, and the command set supported file execution, process and directory enumeration, network-adapter collection, drive and file discovery, process control, and screen capture. The registry-resident payload design gives defenders a hunting angle around unusually large registry values used to stage executable code.