Lazarus Group's Operation Sharpshooter targeted more than 80 organizations, especially in finance, energy, and defense, during activity reported between October and November 2018. The campaign used a malicious Microsoft Office document to deploy the Rising Sun implant, then established persistence through the Startup folder. Rising Sun collected process, disk, network, file, directory, and peripheral information, encrypted the data, and exfiltrated it to attacker infrastructure. Later C2 communications allowed remote control of compromised systems and potential follow-on malware deployment.