BAE Systems analyzed malware and watering-hole infrastructure tied to a wave of bank attacks that earlier reporting had linked to the Lazarus threat actor. The examined samples included an encrypted backdoor loaded by a DLL, decrypted with XOR and RC4 routines, then injected into a process and controlled through a custom binary protocol supporting file transfer and remote download commands. The attackers used compromised websites to redirect selected visitors to a profiling script that checked IP allowlists, browser details, operating system version, and plugins before serving Adobe Flash or Microsoft Silverlight exploits. Russian-language command strings in the bot appeared inconsistent with native Russian usage, leading the researchers to assess them as a likely decoy intended to spoof the malware’s origin. The report matters because it connects targeted financial-sector watering holes, exploit-kit filtering, Lazarus-linked loader behavior, and false-flag language artifacts into a defensible detection picture.