Kaspersky links Lazarus and its Bluenoroff subgroup to financial-sector intrusions, including watering-hole attacks against banks and activity connected to SWIFT-related theft operations. Bluenoroff is described as focusing on financial gain, targeting banks, financial trade software developers, cryptocurrency-related entities, and other financial institutions across multiple countries. In one European C2 server investigation, operators installed Apache Tomcat, configured JSP-based C2, tested backdoors, used VPNs and proxies, and left logs showing one short connection from a North Korean IP range. The report also describes Lazarus tradecraft such as disposable first-stage backdoors, protected payload delivery through DLL loaders, encrypted containers or registry values, password-protected installers, packers, obfuscation, and frequent tool changes. These findings matter because they connect bank intrusions, SWIFT-focused malware, and global watering-hole operations to a large, organized Lazarus ecosystem without relying only on code reuse.