Validin used historic DNS, host-response data, and certificate pivots to expand from roomconnect[.]online into additional infrastructure assessed as Lazarus Group-related. The research focused on meeting-themed domains, wildcarded subdomains, shared IP resolutions, certificate SHA1 8edc64bd3deaa4397af5453aee893fa6704dfabf, registration timing, and overlap with previously known Lazarus-associated indicators such as instant-patch[.]online. The pivots produced higher-confidence domains including virtual-collab[.]online, meeting-hub[.]online, meeting-central[.]online, and broader sets of meeting and document-sharing themed domains consistent with Lazarus phishing and impersonation tradecraft. Validin reported 29 apex domains and 8 IP addresses as currently or recently associated with the activity based on those infrastructure relationships.