QiAnXin analyzes downloader samples tied to an npm package supply-chain poisoning incident that it assesses as likely Lazarus based on code overlap with historical Lazarus samples and the group's prior use of supply-chain attacks. The loader decrypts embedded PE and ZIP data, drops IconCache.db and NTUSER.DAT under the user's Roaming Microsoft paths, and establishes persistence through scheduled tasks, HKCU Run, or the Startup folder. The main downloader contacts C2 to request payload metadata, downloads numbered payloads, verifies MD5 hashes, decrypts PE content in memory, and executes specified export functions through rundll32-style loading. The report links the activity to infrastructure including 91.206.178.125, blockchain-newtech.com, chaingrown.com, and 156.236.76.9, while comparing the loading method and constants with earlier Lazarus-linked Comebacker and 3CX-related research.