ESRC identified an operation it calls Coin Manager, in which malware disguised as personal financial software was used against people connected to a specific Korean cryptocurrency exchange. The installer begins infection during setup, hides malicious code in resources, drops lsm.exe in a temporary folder, and attempts encrypted communication with three C2 servers. The article links the activity to earlier Korean government, media, financial, and private-sector intrusions through recurring Windows command-processor code patterns also seen in HWP, EXE spear-phishing, and DOC macro malware. Related document-based variants dropped leo.exe or lsm.exe, showed Korean development artifacts, reused the ISkyISea account name, and overlapped with the Canadian IP address 184.107.209.2, making the campaign important for tracking long-running Korean financial-sector targeting.