ASEC reports Lazarus compromises South Korean Windows IIS web servers and turns them into first-stage C2 infrastructure using ASP web shells and proxy scripts. The January 2025 cases resembled earlier Lazarus activity but used a newer C2 script that supports cookie data as well as form data and stores proxy metadata in files such as Bottom1.gif, Bottom2.gif, and Bottom3.gif. Investigators found RedHat Hacker web shells, additional JSON-capable ASP web shells, LazarLoader installed through w3wp.exe, and a UAC bypass tool. LazarLoader decrypted payloads with the key Node.Js_NpmStart and was followed by rundll32 execution from ProgramData, indicating the servers were used for both proxying and post-compromise malware deployment.