ESRC describes Operation Mystery Baby malware built in a concentrated window on 31 October 2018, with separate 32-bit and 64-bit variants disguised as a Korean security product. The malware collects system information, user accounts, keystrokes, and files including common document formats and Android keystore files, then attempts to exfiltrate data to Korean-language web servers. ESRC links the code and infection flow to earlier Operation Baby Coin activity, including encrypted payload handling where files such as store.sys are decrypted into update.tmp using an RC4-like routine. The broader intrusion history includes spear-phishing with CVE-2017-11882, cryptocurrency-themed lures, webmail credential phishing, HWP exploit use, and distribution through compromised Korean websites. The report matters because it shows sustained code reuse and operational adaptation by a suspected state-sponsored APT actor targeting Korean users and related environments.