ESRC reported that a Lazarus APT intrusion used a malicious HWP document named “System Porting Specification” that exploited a Ghostscript module vulnerability and closely resembled the earlier Operation MovieCoin activity. The decoy document was crafted to look like a realistic system porting contract, including contract value, performance period, guarantee, and delay compensation fields. When opened, the HWP shellcode acted as a bot and downloaded x86 or x64 MovieCoin payloads from technokain[.]com, which collected infected-system information and sent it to attacker-controlled servers. The payload used WordPress-themed C2 paths on weeklyexperts[.]com, payngrab[.]com, and adhyatmikpunarjagran[.]org, and supported further file download, execution, and delayed operation commands. ESRC noted that Lazarus had recently resumed active operations against cryptocurrency-related targets and South Korean victims, making the campaign relevant for HWP exploit, bot, and infrastructure detection.