360 attributed a 2022 campaign to Lazarus/APT-C-26 that used fake Alibaba-related components to target specific users, with observed victimology including South Korean software company Hancom Secure. The loader registered persistence through counterfeit components such as alibabaprotect.db and alibabaconf.bat, then executed an HttpUploader payload associated with the NukeSped family. The malware passed the C2 address and local upload path as runtime parameters, decrypted an in-memory second stage, and attempted to read and upload files such as c:\ProgramData\Alibaba\cfpconfg.out. Reported infrastructure included stracarrara[.]org and namchuncheon.co[.]kr, and the campaign matters because it combined targeted collection, parameter-separated configuration, and fileless follow-on execution to reduce exposure.