A YARA rule identifies a Lazarus-linked malicious DLL sample shared in March 2024, keyed to SHA-256 5289529957d52c9d5fc2e47aa9924fd1de21b902509dee0241d5d6b056733a94. The rule looks for Windows internet settings strings, SeDebugPrivilege, AutoConfigURL, HTTP form content headers, zlib-style diagnostic strings, and a PE import profile spanning KERNEL32, ole32, SHELL32, and ADVAPI32 APIs. It also requires exported functions such as InitProcessPriv, InitThread, ShutdownLockAppHostServer, StartLockAppHostServer, UnInitProcessPriv, and UnInitThread. The source is a detection artifact rather than a full intrusion report, so it supports hunting for the referenced Lazarus DLL but provides little victim or campaign context.