BAE Systems analyzed the Polish financial-sector watering-hole attacks reported by BadCyber and found infrastructure and malware overlaps with other activity against banks in Mexico and Uruguay. The suspected infection path began with the Polish Financial Supervision Authority site redirecting selected visitors to sap.misapor[.]ch and eye-watch[.]in, which hosted malicious JavaScript and payload delivery paths. One available sample unpacked to a malware variant seen in Lazarus tooling during the previous year, using RC4-based decryption, service-installation arguments, and command-and-control behavior. BAE also connected eye-watch[.]in to a Silverlight XAP exploit based on CVE-2016-0034 and noted that similar watering-hole redirects had appeared on the Mexican banking regulator’s site and a Uruguayan bank site. The findings matter because they tie the Polish bank compromises to a broader financial-sector targeting pattern and infrastructure set with Lazarus-toolkit overlap, while keeping some delivery details provisional.