ESRC investigated reporting that Lazarus-linked operators targeted Israeli defense and aerospace-related organizations through spear-phishing, including Israel Military Industries and Ashot Ashkelon Industries. The lure impersonated a SysAid software update in Hebrew and delivered a RAR file that internally used the ACE format and CVE-2018-20250 to place a malicious executable in the Windows Startup path. The payload, ekrnview.exe, was a 64-bit Windows executable that queried host information, checked Windows product data, and contacted hardcoded C2 endpoints including alahbabgroup.com, 103.225.168.159, khuyay.org, and 47.91.56.21. The same 103.225.168.159 address appeared in a crafted LNK icon path, and one C2 server exposed directory listing and a B374k web shell, giving defenders infrastructure and tooling artifacts to compare with related Middle East WinRAR exploit activity.