AhnLab observed Lazarus using DLL side-loading during early intrusion activity to run malicious code through legitimate Microsoft binaries, including wsmprovhost.exe and dfrgui.exe. The intrusion chain involved an older INITECH process distributing the scskapplink.dll backdoor, followed by suspected execution of additional payloads from wsmprovhost.exe when malicious mi.dll was found in the same directories. The malicious mi.dll was based on the open-source BugTrap project, contained an AES-128 encrypted embedded binary, and decrypted and executed the next-stage malware in memory using a key passed at runtime. AhnLab linked the technique to defense evasion because malicious behavior ran inside legitimate process memory, and provided detections for SCSKAppLink.dll and mi.dll as Lazarus-related malware.