Greg Lesnewich demonstrates memory based YARA detection for HazyLoad, a loader tied in the rule references to North Korean TeamCity exploitation and Lazarus related RAT reporting. Hatching Triage memory snapshots exposed proxy tool strings after the payload ran in process memory, including SOCKS4 usage, proxy connection errors, and handshake messages that were not visible in static strings. The resulting APT_NK_TA430_HazyLoad_Mem rule uses a strict string condition against the unpacked in-memory payload and records a representative SHA-256 sample hash. The source emphasizes collision testing and careful tuning because memory focused rules are harder to prevalence check than static file signatures.