ESRC links a Korean cryptocurrency-focused variant to the BabyShark-related “Baby” campaign family, naming the activity Operation Giant Baby and comparing it with Operation Mystery Baby and Operation Baby Coin. The malware disguises itself with a stolen Korean security-program icon, uses persistence through a Run registry key named “Ahnlab,” checks local log files and mutex-like conditions, and downloads RC4-encrypted payloads from reused C2 paths. The payloads collect keystrokes, cookies, clipboard data, browser account information, document lists, and cryptocurrency wallet-related files using Korean-language keyword searches. Infrastructure overlaps include everydayspecial[.]com paths and earlier C2s such as honew.elimbiz[.]com and un-org.yupage[.]com, while the report also cites historical spear-phishing against foreign-affairs targets and attacker artifacts containing Korean-name clues and a “North Korean” security question. The activity matters for DPRK-focused tracking because it shows continued Korean targeting, cryptocurrency theft motivation, and operational reuse across BabyShark-linked campaigns.