Avast found a Lazarus campaign that targeted selected individuals in Asia through fabricated job offers, using rapport-building before delivering a malicious ISO disguised as a VNC tool. The ISO executed a legitimate Windows choice.exe binary to sideload a malicious version.dll, which then launched or injected an obfuscated aws.cfg payload and attempted to download shellcode from a compromised website. The infection chain connected RollFling, RollSling, RollMid, and KaolinRAT, with stages designed to run in memory, use victim-specific SMBIOS data for decryption, and support RAT functions such as DLL loading and timestamp manipulation. Lazarus also exploited CVE-2024-21338 in the Windows appid.sys driver to blind security products through the FudModule 2.0 rootkit, showing a highly resourced, targeted operation against technically relevant victims.