The report analyzes Lazarus malware disguised as an IP Messenger installer using the filename of a legitimate IPMsg setup package. The malicious installer decrypts and filelessly loads embedded DLL components, then runs a legitimate installer from the user's AppData directory to hide the infection from the user. The DLL chain includes anti-reversing checks, such as requiring a specific parameter before execution, and can communicate persistently with up to three C2 servers. The malware can download ZIP-packaged malicious DLLs from C2 and execute them for follow-on activity, while attempting to evade sandbox and automated analysis.