The source analyzes a Konni-linked CHM file named PaymentConfirmation.chm that masquerades as a Korean patent fee payment receipt. Its embedded emlmanager.vbs launches a hidden batch file, creates or checks a SafeBrowsing scheduled task, and uses additional batch scripts to stage collection activity from C:\Users\Public\Libraries. The malware gathers system information, running processes, and Desktop and Downloads directory listings, then sends the resulting text files to niscarea.com. The report also provides hashes for the CHM sample and describes the activity as aligned with Konni, a North Korea-linked cluster associated with targeted operations since at least 2014.