VERY IMPORTANT

A malicious CHM file targeting Poland was discovered, containing an infection chain that drops and executes a C++ downloader. The CHM file displays a decoy image while executing obfuscated JavaScript to extract and run a DLL. The downloader retrieves a payload from a domain associated with previous Belarus-linked threat activities. The payload is encrypted and appended to an image file. The infection process involves multiple stages, including the use of LOLbins and the creation of a scheduled task for persistence. This campaign shows similarities to activities attributed to threat actors like FrostyNeighbor and UNC1151, known for targeting Eastern European countries.