ESRC analyzed a spear-phishing attack against a South Korean securities-company employee and attributed the operation to Lazarus. The email carried many HWP, XLSX, JPEG, and large attachments as decoys, with the first HWP file containing malicious PostScript data that launched shellcode. The shellcode created %appdata%\Microsoft\Internet Explorer\security.vbs, contacted sixbitsmedia[.]com to download an additional Base64-encoded payload disguised as a PNG, and produced a 32-bit DLL with a Crat Client-related PDB path. The follow-on malware communicated with multiple compromised WordPress-based sites, including mokawafm[.]com, tiramisu[.]it, kartacnictvi[.]cz, dimer-group[.]com, and ecolerubanvert[.]com, enabling additional attacker commands.