ESRC reports a run of APT activity against South Korea involving Lazarus, Kimsuky, and Geumseong121, with the highlighted Lazarus case targeting cryptocurrency-related individuals through a malicious HWP document disguised as a student project report. The attachment used an embedded malicious PostScript stream and XOR-decoded shellcode to attempt downloads from command-and-control URLs hosted under compromised WordPress paths. A later HWP variant, disguised as an air-conditioner maintenance document, reused the same structure and execution flow while switching to calderonflooring[.]com-hosted payload URLs. The activity matters because the same South Korea-focused threat landscape combined espionage-oriented targeting with financially motivated attacks against cryptocurrency users and exchanges.