Symantec observed the North Korea-linked Lazarus group targeting South Korean chemical-sector organizations in activity assessed as a continuation of Operation Dream Job, tracked by Symantec as Pompilus. The campaign used fake job-offer lures that led to malicious HTM files, DLL injection into INISAFE Web EX Client, and Trojanized signed tools such as ComparePlus and XZ Utils components with malicious exports. Follow-on activity included shellcode loaders, C2 communication using the "prd_fld=racket" parameter, credential dumping from registry hives, WMI-based lateral movement, scheduled-task persistence, and deployment of tools such as SiteShoter, IP Logger, WakeOnLAN, FastCopy, and FTP under MagicLine. Symantec assessed the chemical-sector targeting as likely intended to support North Korea’s acquisition of intellectual property in that field.