Lazarus compromised a software vendor through unpatched legitimate software and continued exploiting that vendor’s software while targeting other software makers, suggesting interest in source code theft or supply-chain tampering. The campaign deployed SIGNBT for victim control and also used LPEClient, a Lazarus tool associated in the excerpt with victim profiling and payload delivery in attacks on defense contractors and the cryptocurrency industry. Post-exploitation activity appeared inside legitimate security software processes, with SIGNBT loaded in memory by shellcode and supported by persistence methods including ualapi.dll side-loading through spoolsv.exe and registry-based execution of legitimate files. The loader verifies a specific MachineGuid before decrypting a payload from a hard-coded local path, and SIGNBT then reads encrypted configuration containing C2 proxy addresses, sleep intervals, version data, monitored targets, and other operational parameters. Its C2 protocol uses SIGNBT-prefixed stages, victim profiling through the CCBrush class, randomized HTTP parameters, AES-encrypted tasking, and backdoor functions invoked when the server returns commands rather than a keep-alive response.