Symantec investigated a watering-hole campaign that targeted banks and related organizations in 31 countries, beginning with compromises observed in Poland and extending to blocked infection attempts in Mexico, Uruguay, and Poland. The attackers used compromised websites, including the Polish financial regulator’s site, to redirect selected visitors to an exploit kit configured to infect only about 150 IP addresses belonging mostly to financial institutions. The malware family Ratankba contacted eye-watch[.]in for command-and-control and downloaded a Hacktool whose code strings overlapped with tools previously associated with Lazarus. Symantec later identified additional tentative Lazarus links, including malware found at a Polish target, a Ratankba sample submitted alongside Destover, and the distinctive "del /a %1" trait also seen in Lazarus-linked malware families. The activity matters because it showed a focused intrusion campaign against global financial institutions using selective watering-hole delivery and tooling with multiple overlaps to prior Lazarus activity.