JPCERT/CC describes two Lazarus/Hidden Cobra malware families, Torisma and LCPDot, used during intrusion and post-intrusion operations. Torisma is a rundll32-launched downloader that reads configuration files, uses a fixed signature and VEST-32 encryption key, sends HTTP POST requests to C2 servers, and downloads encrypted modules that can collect infected-host data or execute files. LCPDot is another downloader, sometimes VMProtect-obfuscated, that appears to support lateral movement after Torisma infections and uses options for RC4 keys and Base64-encoded C2 information. The report documents protocol details, configuration paths, encoded communications, and representative C2 URLs for defenders to hunt in affected environments.