Knownsec 404 analyzed malicious CHM samples using Korean-language decoys themed around insurance, securities, finance, and communications bills, with targeting directed at South Korea. The CHM attack chain decompiled itself, released files under a public user directory, executed a JSE script, downloaded a payload as alg.exe, and showed code overlap with CHM activity previously disclosed by AhnLab. The final payload, named FakeCheck by the researchers, is a .NET RAT that collects host, disk, browser, bookmark, saved-password, and recent-file data, stores the results under the public pictures directory, uploads them to C2, and executes commands received from the server. Although some researchers attributed the activity to APT37, Knownsec states that the observed samples and TTPs do not provide direct evidence for that attribution and could represent new APT37 tradecraft or another actor using similar CHM techniques.