Telsy TRT analyzed a likely Lazarus operation that began from a spoofed email delivering a malicious document to an Italian banking and financial institution. The document carried architecture-specific first-stage payloads and dropped a library under a Microsoft ThumbNail path, then used rundll32 and a Startup-folder shortcut for persistence. The first stage performed system reconnaissance and HTTP POST beacons to command-and-control scripts hosted on compromised legitimate sites, with collected victim data compressed, encrypted, and logged by the backend. The report frames Lazarus/APT38/Hidden Cobra attribution as likely and focuses on the early kill chain, victim filtering, and second-stage delivery controls.