SECUI analyzes a Kimsuky reconnaissance malware variant that shifted delivery from earlier LNK files to a compiled HTML Help file. The CHM lure appears to contain Bitcoin key themed content and executes embedded scripts through hh.exe, decompiling files into C:\ProgramData\WindowsSystemDeviceManager before launching tsmgr.vbs. The script registers an hourly scheduled task named SystemDeviceUpdate to run AppXml.dat, removes staging files, and contacts https://lfpa.website/pkg/qsuw.php with the value 34689 to retrieve additional script code. The follow on script changes Internet Explorer and Edge related registry settings, showing Kimsuky's continued use of lightweight script based reconnaissance chains for staging later activity.