AhnLab observed Lazarus targeting poorly managed or vulnerable Windows IIS web servers by using the IIS worker process w3wp.exe to stage Wordconv.exe with a malicious msvcr100.dll and msvcr100.dat in the same directory. The malicious DLL used DLL side-loading to decrypt and execute an encoded PE with Salsa20, resembled the earlier cylvc.dll loader, and likely delivered a backdoor-style payload. Follow-on activity abused a Notepad++ Color Picker plugin DLL, diagn.dll, to decrypt another payload with RC6; AhnLab telemetry showed access to lsass.exe memory, suggesting credential theft. The actor then used stolen credentials for internal reconnaissance and lateral movement over RDP, underscoring Lazarus's continued use of side-loading and exposed-server access for enterprise intrusion.