The excerpt describes a Lazarus campaign using a COVID-themed HWP document targeting South Korea, including a Jeollanam-do coronavirus inquiry lure. OSINT analysis found the executable was downloaded from sofa.rs and matched detection logic for a reflective loader. The executable is described with a victim-selection kill switch, sandbox and debugger evasion, execution-timing checks, and IsDebuggerPresent use. Mapped behaviors include WMI and API execution, application shimming, masquerading, packing, input capture, discovery activity, remote file copy, clipboard collection, encrypted exfiltration, and standard cryptographic protocol command and control. The report provides MD5 indicators and YARA-style reflective-loader strings that defenders can use for triage and detection.