CHM (Microsoft Compiled HTML Help) is the extension used by Windows help files and other files such as e-books. Cybercriminals have been known to abuse vulnerabilities in CHM files to execute arbitrary code. Successful exploitation requires the user is tricked into opening or decompiling a malicious CHM file, which may be used to execute malicious routines the same way a malicious EXE file would.
In 2015, threat actors used a zipped CHM file to display a MERS-related webpage from a popular Japanese information site. The CHM file was coded to drop the backdoor file ZXShell, which is commonly used in targeted attacks.