Lab52 analyzed August 2025 Lazarus DreamJob artifacts and found a modular loader set it calls DreamLoaders, including a trojanized TightVNC client, Webservices.dll, radcui.dll, HideFirstLetter.dll, and TSVIPSrv.dll. The campaign aimed to get administrators in targeted organizations to run decoy software, then used DLL sideloading with legitimate Windows binaries, encrypted Base64 payloads, RC4-decrypted paths, and malicious service execution to stage additional components. HideFirstLetter.dll attempted Microsoft OAuth authentication and Microsoft Graph access to retrieve a compromised SharePoint URL, while TSVIPSrv.dll loaded encrypted .mui payload files and showed 85% code similarity to the payload recovered from the trojanized TightVNC sample. The reuse of identical .mui payloads across different compromised machines suggests coordinated deployment and gives defenders concrete hashes, SharePoint domains, loader names, and sideloading behaviors to hunt in DreamJob-related intrusions.