In general, it targets bulletin boards on vulnerable websites, uploads web shells, and takes control by exploiting the host server's local privilege escalation. During the analysis, we further examined the commands (packets) and command structures used by the real attacker, and we learned how they operate organically in the C2 farm, an infrastructure built by the attacker; how the Bookcodes attacks are carried out; and how to respond and reprocess them. Based on this finding, the group of attacks that the Lazarus Group has carried out against South Korea since 2019 was named "Bookcodes." Most of the C2 farms used in the Operation Bookcodes attacks used domains that hacked South Korean companies. We monitored the attacker's C2 and confirmed that dozens of companies had been infected, so we informed those companies of the infection and provided support to help them develop defence strategies.