ESET attributes attacks against a Central American online casino and other late-2017 targets to Lazarus based on overlapping toolsets, telemetry, Lazarus-linked malware, and shared static characteristics. The intrusions used Windows service-oriented NukeSped backdoors, a session-hijacking tool, credential theft utilities including a modified Mimikatz, remote access tooling, and destructive Win32/KillDisk.NBO variants deployed across more than 100 machines in the casino network. The KillDisk samples damaged systems by wiping or corrupting data and were closely related to variants seen against Latin American financial organizations. The report highlights how Lazarus combined custom malware, commercial protectors such as VMProtect, public tools, and destructive payloads in a complex multi-stage operation likely intended for cover-up, extortion, or sabotage.