ESRC described Operation Imitation Game as a Geumseong121 spear-phishing campaign that deliberately mimicked Lazarus HWP malware traits as a false-flag technique. The malicious HWP attachment used PostScript and shellcode patterns resembling Lazarus samples, but deeper analysis found Geumseong121-style code paths, PDB traces, and infrastructure reuse. The real activity resolved to C2 such as price365.co.kr and related Korean-hosted infrastructure rather than the copied Lazarus-looking logic. The case is important for defenders because it shows DPRK-related clusters borrowing each other’s tradecraft and requiring payload-level validation before attribution.