ESRC analyzed a Lazarus-linked malicious HWP document disguised as an outsourced employee personal-information form for a finance-related organization. The document used embedded PostScript, XOR-encrypted shellcode, and an added obfuscation layer while sharing C2 and attack-code traits with earlier Lazarus HWP activity. Follow-on payloads were retrieved from technokain.com and communicated with compromised WordPress paths including weeklyexperts.com, payngrab.com, and adhyatmikpunarjagran.org. The activity resembles BattleCruiser and StarCruiser campaign techniques and reinforces the need to patch Hangul Office vulnerabilities.