AhnLab reported that Lazarus compromised Windows IIS web servers and repurposed them as malware distribution servers for attacks exploiting unpatched INISAFE CrossWeb EX installations. In the observed server compromise, IIS worker process w3wp.exe created Lazarus tooling, including a Themida-packed JuicyPotato privilege-escalation binary named usopriv.exe and a DLL loader named usoshared.dat executed via rundll32. The loader searched several paths for a GIF-masquerading encoded data file, decrypted configuration and PE data, and was consistent with Lazarus loaders that run downloader or backdoor payloads in memory. AhnLab tied the infrastructure to ongoing attempts to deliver SCSKAppLink.dll through INISAFE exploitation and urged patching exposed IIS and INITECH-related assets.