Attackers have begun reviving a legacy attack vector by weaponizing Microsoft Compiled HTML Help (CHM) files to deliver multi-stage malware. A malicious CHM named “deklaracja.chm,” uploaded from Poland on June 30, 2025, exploits Windows’ built-in help viewer to run hidden scripts and deploy payloads without user suspicion.
Once executed, the CHM renders a legitimate-looking help topic while silently creating a Link.ini shortcut in the “%USERPROFILE%\Links” folder. That shortcut triggers a Base64-encoded script fetched from attacker-controlled infrastructure. The script then spawns a malicious service file, scheduled to run hourly, which downloads and decodes PowerShell payloads responsible for keylogging, clipboard monitoring, system reconnaissance, and data exfiltration.
This method is rather stealthy. It exploits trust in Help files and bypasses mac‑based scanning mechanisms. Legacy formats like CHM avoid typical file-type filters, making them ideal vehicles for multi-stage attacks.
Why This Is a Threat
- CHM files are still trusted by Windows and often whitelisted.
- The multi-stage payload chain leverages obfuscation and scheduled
- Active targeting of users in Europe suggests a strategic adversary focused on espionage or credential theft.
Industries affected may include finance, healthcare, legal, government, energy, manufacturing, and IT services -anywhere legacy file formats are supported and systems automate CHM content delivery.
How Organizations Can Defend Themselves
- Block or restrict CHM execution via group policy or endpoint controls.
- Monitor creation of scheduled services and shortcut files in user folders.
- Enable PowerShell and script execution logging for anomaly detection.
- Harden download filters to flag CHM, especially from external sources.
- Educate users on the risks of opening unexpected Help files or attachments.
Conclusion
This resurgence of CHM-based malware highlights how attackers exploit forgotten Windows features. What was once a documentation format is now weaponized for stealth delivery of data exfiltration tools. Securing legacy file handlers, enforcing strict execution policies, and maintaining vigilant monitoring are critical to staying protected.
About COE Security
At COE Security, we support organizations in finance, healthcare, legal, government, energy, manufacturing, and IT services by delivering:
- Legacy format risk assessments and file execution policies
- Script and service monitoring to detect abnormal scheduled jobs
- Endpoint controls that block or sandbox CHM and other legacy formats
- Employee training and awareness programs focused on unconventional threat vectors
- Compliance support aligned with GDPR, HIPAA, PCI DSS, SOX, and other regulations
Follow COE Security on LinkedIn to stay updated and cyber safe with expert insights, alerts, and best practices.