Lazarus is assessed to have weaponized CVE-2025-55182, a React Server Components insecure deserialization flaw, in a Windows executable that scans target lists and attempts bulk exploitation for initial access. The intrusion chain pairs the exploit tool with MultiRelay for internal movement, Akagi64 for UAC bypass, and rundll32 execution of a Copperhedge Loader that decrypts and runs a Copperhedge Backdoor in memory. The backdoor creates the MsSecurityObj mutex, stores encrypted configuration in a file or registry location, collects host and network details, and communicates with C2 using HTTP parameters followed by ChaCha20, XOR, and Base64 protected traffic. Its command set supports reconnaissance, command execution, file upload and download, CAB archive staging, process control, timestamp manipulation, configuration updates, and reflective payload loading. The report links the activity to Lazarus based on Copperhedge's historical association, overlap with known CVE-2025-55182 exploitation patterns, and likely targeting of financial or blockchain infrastructure.