JPCERT/CC attributes YamaBot use to the Lazarus attack group and describes recently observed Windows variants alongside earlier Linux samples. YamaBot is written in Go and communicates with C2 servers over HTTP, sending Base64-encoded User-Agent data and RC4-encrypted, Base64-encoded host information or command output in cookie values such as captcha_session and captcha_val. The Windows variant includes functions such as download, file path/PID reporting, mutex handling, and shell command execution, while the Linux variant is described as limited to running shell commands through /bin/sh. The report lists C2 paths including www.karin-store.com/recaptcha.php, yoshinorihirano.net/wp-includes/feed-xml.php, and 213.180.180.154/editor/session/aaa000/support.php, and emphasizes that investigators should examine both Windows endpoints and Linux servers.