Anomali Labs identified five additional malware samples that shared subroutines previously reported in SWIFT intrusion malware and Lazarus Group Operation Blockbuster tooling. The overlaps were found with a YARA search and position-independent code function hashing across a large malware repository, with the search returning no false positives in the described dataset. The related samples included SWIFT BanSwift, a fake Foxit Reader sample submitted from Vietnam, SMBWorm, a memory dump containing SMBWorm, an unknown hkcmd tool, and a backdoor posing as a Korean Microsoft Office 2007 component. The small result set and shared Lazarus Wipe File routine strengthened the evidence connecting the SWIFT banking intrusions to other malware associated with North Korean activity.