AhnLab ASEC described how defenders can use EDR telemetry to track CHM malware activity associated with recently disclosed APT-style attacks. The analyzed CHM file runs script through the signed Windows help binary hh.exe, a MITRE ATT&CK T1218.001 system-binary proxy-execution technique, then invokes mshta.exe and PowerShell to retrieve attacker code from hxxp://shacc[.]kr/skin/product/1.html. The follow-on PowerShell backdoor maintains persistence by registering commands under the Run key, giving EDR operators process-tree, C2, and autorun artifacts to hunt. AhnLab lists detections such as Trojan/CHM.Agent and Backdoor/Powershell.Generic.SC187227 and provides hashes including 809528921de39530de59e3793d74af98 and 32445d05dd1348bce9b6a395b2f8fbd8.