Tencent Yujian Threat Intelligence Center reported Lazarus (T-APT-15) activity exploiting Flash `CVE-2018-4878` through spear-phishing documents aimed at targets including cryptocurrency exchanges. The captured `.docx` lures embedded a malicious `.doc` with an exploit SWF that abused a Flash use-after-free condition, modified a `ByteArray` length to gain arbitrary read/write, and ran shellcode that injected into `explorer.exe` before downloading payloads from `falcancoin.io`. Tencent identified the payload as a new `FALLCHILL` remote-control Trojan variant with HTTP C2, remote file/process/information operations, self-uninstall capability, 27 remote-control commands, and C2 paths including `www.530hr.com/data/common.php`, `www.028xmz.com/include/common.php`, and `168wangpi.com/include/charset.php`. The report links the RAT to Lazarus through FALLCHILL code similarity, command-dispatch and logic overlap, Korean resource language, and KR-CERT reporting that North Korean hackers had used the zero-day in the wild.