Unit 42 used unsigned-DLL hunting to surface APT activity, including a North Korean cluster it tracks as Selective Pisces, also known as Lazarus Group, ZINC, or APT-C-26. In the DPRK-linked case, MagicLine4NX.exe from DreamSecurity dropped unsigned modules into ProgramData and enabled DLL side-loading through a copied Windows wsmprovhost.exe process that loaded a malicious mi.dll. The chain then placed ualapi.dll under C:\Windows\System32 to gain persistence through spoolsv.exe loading behavior, illustrating how the actor abused legitimate Korean third-party software and Windows DLL search behavior. The report matters for detection because it contrasts common rundll32/regsvr32 DLL loading with APT-style DLL side-loading and gives defenders concrete hunting logic for unsigned DLL execution in user-writable paths.