360 Advanced Threat Research Institute attributes a campaign using fake ComcastVNC software to APT-C-26/Lazarus with medium confidence, based on alignment with previously reported Lazarus TightVNC and sRDI/BlindingCan tradecraft. The initial archive/ISO delivered ComcastVNC.exe, a legitimate choice.exe abused for DLL sideloading, plus version.dll and portable.dat; execution loaded shellcode and either ran it in a new thread or injected it into iexpress.exe when Kaspersky was present. The chain dropped a modified TightVNC-based ComcastVNC.DAT and a VMProtect-protected BlindingCan/AIRDRY HTTP(S) backdoor that contacted rowdensurname[.]org. The analysis cites matching RTTI artifacts, rich-header similarities, User-Agent and communication-string overlap, RC4/Base64-encrypted C2 traffic, and server-side ASP handling of client identifiers as evidence.