Breakglass analyzed a live Kimsuky C2 tied to a CHM-based intrusion chain after a MalwareBazaar submission exposed check.nid-log[.]com serving multiple payload stages. The chain uses hh.exe, PowerShell, certutil, and wscript to decode and execute VBScript that performs host reconnaissance, creates an "Edge Updater" scheduled task, and fetches later-stage code directly over HTTP. Recovered payloads include a PowerShell keylogger with keystroke capture, clipboard monitoring, active-window tracking, a Global\AlreadyRunning19122345 mutex, and timed multipart exfiltration to finalservice.php. The infrastructure retained the "Million OK !!!!" health-check signature seen in earlier Kimsuky reporting while moving across multiple VPS providers and 79 mapped domains, giving defenders concrete payload source, endpoints, and detection artifacts.