WithSecure’s second Lazarus detection-engineering post turns F-Secure threat intelligence into defensive logic for the later stages of a Lazarus intrusion. It covers remaining defense-evasion activity plus credential access, lateral movement, and command-and-control, including PE injection, log clearing, credential theft, network movement, and C2 behaviors mapped to MITRE ATT&CK. The article emphasizes operational detections such as centralized log collection to survive endpoint log clearing, event and command-line monitoring, and behavioral rules that blue teams can adapt into Sigma-style analytics. Its CTI value is not new attribution but practical conversion of known Lazarus tradecraft into real detection opportunities for defenders.