Recorded Future assesses that North Korean government actors, specifically Lazarus Group, targeted South Korean cryptocurrency users, exchanges, and foreign-affairs students in late 2017. The campaign used spear-phishing lures delivered as Hangul Word Processor documents, including Coinlink credential prompts, cryptocurrency exchange resumes, and a “Friends of MOFA” Korean Day lure. The documents embedded PostScript that exploited Ghostscript CVE-2017-8291, deobfuscated shellcode with XOR keys, and loaded DLL payloads built partly from Destover infostealer code. The payloads collected victim system information and exfiltrated files, used IP-based command-and-control infrastructure, and showed runtime import resolution in newer cryptocurrency-themed samples. The activity matters because it ties Lazarus’s established financial-theft operations to South Korean cryptocurrency targeting while showing that a Ghostscript exploit embedded in HWP files could be adapted beyond that document format.