Kaspersky describes Andariel, a Lazarus subgroup, exploiting Log4j to download follow-on malware and rapidly deploy the DTrack backdoor during intrusions. The investigation reproduced human-operated command execution marked by typos and locale discovery, and observed off-the-shelf tooling such as Supremo remote desktop during post-exploitation. Kaspersky also identified EarlyRat, a previously undocumented PureBasic RAT linked to the same Andariel activity and to phishing documents that executed macros contacting infrastructure associated with the HolyGhost/Maui ransomware campaign. EarlyRat collects system information, communicates with C2 using Base64 content XORed with a machine-specific key, and mainly supports command execution, reinforcing Andariel’s pattern of mixing custom malware, ransomware-adjacent activity, and hands-on intrusion tradecraft.