ESRC reported a Lazarus operation using a Korean cryptocurrency investment-contract HWP lure, with the malicious document dated June 2019 and built to exploit HWP processing. Embedded PostScript code used XOR encoding and shellcode to hide C2 logic, then retrieved disguised 32-bit and 64-bit DLL payloads from a compromised WordPress path as movie.png and movie.jpg. The DLLs used movie32.dll and movie64.dll export names, communicated with additional C2 endpoints, and waited for operator commands. ESRC linked the structure to earlier Lazarus Battle Cruiser and Star Cruiser activity, noting similar PostScript logic, WordPress abuse, and webshell evidence, and assessed the cryptocurrency theme as consistent with financially motivated targeting.