Igloo summarizes Lazarus as a suspected North Korean state-backed group active against domestic Korean targets, with historical links cited to Operation Troy, Sony Pictures, Hidden Cobra, Andariel, and BlueNoroff. The analyzed cases center on malicious Hangul documents disguised as real estate reports, investment or system contracts, company documents, proof-submission requests, and CES participation forms. The infection chains use PostScript or macro content with XOR-encoded shellcode, normal-process injection into explorer.exe, staged downloads from C2 servers, and final payloads including Manuscrypt/Bankshot or DLLs such as WEB_Troy.dll that send victim PC information to attacker infrastructure. The report highlights why Korean organizations should treat convincing HWP lures as a persistent intrusion vector, especially where patched vulnerabilities and quiet information theft make compromise difficult for users to notice.