AhnLab reports that Lazarus exploited vulnerabilities in South Korean financial and enterprise security software, expanding beyond previously abused INISAFE CrossWeb EX and MagicLine4NX to VestCert and TCO!Stream zero-days. The group used watering-hole access against systems with vulnerable VestCert installations to launch PowerShell, contact C2 servers, and download malware such as WinSync.dll. For internal propagation, attacker-built tooling abused TCO!Stream client behavior on TCP 3511 to instruct endpoints to download and execute staged files from the management server. AhnLab notes KISA/vendor coordination and urges manual removal or reinstallation because affected products were not automatically updated.