S2W analyzes a Lazarus-linked signed DLL disguised as the open-source Notepad++ ComparePlus plugin and apparently tailored to systems with a South Korean Non-ActiveX security component installed. The malware checked for INITECH/INISAFE Web EX Client files and SCSKAppLink.dll before loading itself through comp.exe, using DLL injection to force execution. Its final behavior was to download an additional payload from compromised Korean web infrastructure, decrypt it with RC5, and execute it in memory; observed URLs included grandgolf.co.kr, namchuncheon.co.kr, and kdone.co.kr paths with product_field=racket. The report ties the sample to Lazarus through similarities in string-decoding logic and the group's recurring use of normal-file masquerading, signed components, and domestic Korean distribution sites.