The Updated APT Playbook Tales from the Kimsuky threat actor group
The Kimsuky threat actor group also known as Black Banshee or Thallium originates from North Korea and has been active since at least 2012 Kimsuky focuses primarily on intelligence gathering. Researchers believe Kimsuky is using CHM files which are delivered in several ways as part of an ISO|VHD|ZIP or RAR file. The reason they would use this approach is that such containers have the ability to pass the first line of defense and then the CHM file will be executed.