The CNBV-related activity was part of a broader financial-sector watering-hole campaign in which compromised regulator and banking websites in Poland, Mexico, and Uruguay redirected selected visitors toward malicious infrastructure. Reporting connected the campaign to sap.misapor[.]ch, eye-watch[.]in, a Silverlight exploit path, Ratankba malware, encrypted C2, and tooling traits overlapping with Lazarus-linked malware, while retaining caution around definitive attribution.