SecAI analyzes a malicious CHM sample linked to Kimsuky activity, showing how the file uses an embedded HTML page and script execution to launch VBS code. The infection chain runs a VBS script from the same directory, executes a second VBS payload stored as AppXml.dat, decrypts commands, and downloads a malicious file from lfpa.website before execution. The vendor says it has observed Kimsuky targeted attacks since 2024, including samples themed around the South Korean Embassy in China, construction-company invoices, and lectures at a South Korean university. The excerpt identifies Kimsuky as a North Korean government-supported actor also known as APT43, Velvet Chollima, Thallium, and Sparkling Pisces, targeting South Korea, Japan, the United States, and sectors such as government, national security, pharmaceuticals, energy, and education. The finding matters because it illustrates continued use of phishing lure documents and script-based loaders for information theft and remote-control operations.