AhnLab analyzed anti-forensic techniques observed on systems compromised by the Lazarus Group in South Korea, including defense, satellite, software, and media-related environments. The report describes Lazarus hiding encrypted loader, PE, and configuration components under system-like folders and filenames, then decrypting them in memory to contact C2 and retrieve additional payloads. Investigators also observed artifact wiping, including overwritten-and-renamed malware deletion and bulk Prefetch cleanup, to frustrate recovery and execution tracing. A remaining backdoor was timestomped to match legitimate Windows files such as notepad.exe, showing selective timeline obfuscation used to conceal long-term access.