QiAnXin RedDrip analyzed Lazarus-attributed targeting of South Korea that used COVID-19 emergency-response lures and HWP attachments impersonating regional disease-control notices. The malicious HWP files contained EPS/PostScript content that executed PowerShell, downloaded DLL payloads such as skype.jpg or h1.jpg from remote servers, and loaded them with regsvr32 or related execution paths. The payloads performed anti-analysis and anti-VM checks, collected user, MAC address, disk, and process information, and supported command execution, file upload, keylogging, and additional download-and-execute functions through C2 infrastructure. Representative infrastructure in the source includes teslacontrols.ir, sofa.rs, kingsvc.cc, and several compromised wp-admin network paths.