ESRC links Operation BattleCruiser to Lazarus activity using malicious HWP documents and exploit-delivered payloads against Korean and overseas targets, including defense, North Korea-related, security, public-sector, academic, financial, and cryptocurrency-related environments. The HWP lure contained a compressed PostScript stream that decoded shellcode with XOR 0x29 and contacted naviilibs.com to download 32-bit or 64-bit DLL payloads disguised with .avi filenames. The follow-on malware is described as a Manuscrypt-series Lazarus payload, with C2 and exfiltration behavior and code similarities to earlier Korean defense watering-hole activity, Arabian Night macro documents, cryptocurrency exchange targeting, and Sony Pictures-era tooling. The report also connects a February 2018 CVE-2018-4878 Flash exploit document and package32.zip/package64-style payloads to the same code family, noting Korean-language resources and reused command/code patterns across campaigns. The overlap with Geumseong121 and Kimsuky-related indicators matters because it shows Lazarus adopting exploit and infrastructure patterns seen across multiple DPRK-linked operations rather than operating as a single isolated indicator set.