ESET examined targeted malware delivered through watering-hole attacks against Polish banks and related financial targets, including redirects from compromised financial regulator websites. The payload chain used multi-stage droppers and loaders, dynamic API loading, RC4 or Spritz-like decryption, Enigma packing, service-based persistence, and modules that injected into Windows sessions. The final RAT module communicated with encrypted C2 infrastructure and supported operator commands for file movement, execution, deletion, process control, download, upload, and configuration changes. ESET described the toolkit as Lazarus-like based on overlaps noted by BAE Systems, Symantec, and Novetta, but cautioned that Russian transliterated operator commands could be a false flag. The analysis helped characterize the malware family behind the banking attacks beyond the initial watering-hole vector and highlighted practical traits defenders could hunt for in endpoint telemetry.