AlienVault analyzed malicious HWP documents linked to Lazarus that targeted South Korean financial and cryptocurrency-related themes, including G20 financial meeting material and documents reportedly connected to the Bithumb theft. The HWP files contained malicious PostScript code that downloaded 32-bit or 64-bit next-stage payloads from tpddata.com paths, and the payload was identified as Manuscrypt. The samples communicated with C2 endpoints impersonating South Korean forum software, including anlway.com, apshenyihl.com, and ap8898.com PHP paths. The report also noted potentially related cryptocurrency phishing domains registered with the same phone number as malware delivery infrastructure, suggesting credential phishing may have accompanied malware delivery. The activity is significant for DPRK tracking because it connects Lazarus tradecraft to South Korean cryptocurrency and financial targets, while noting uncertainty about whether the same malware directly caused the Bithumb theft.