Hermes ransomware appeared in DPRK-relevant activity around the 2017 Far Eastern International Bank heist, where BAE Systems observed Hermes alongside known Lazarus tools and assessed it may have served as distraction or cover during SWIFT-connected theft operations. Later reporting on Hermes 2.1 found retained code fragments from earlier Hermes binaries, destructive backup and shadow-copy deletion, local and network encryption behavior, and delivery to South Korean users through a compromised Korean website and the Magnitude exploit kit using CVE-2018-4878, while some reports cautioned that specific intent or attribution for newer samples remained uncertain.