AhnLab ASEC reported that Lazarus malware infections were observed in about 47 companies and organizations during Q1 2022, including defense-sector victims. The activity abused the legitimate INITECH INISAFE CrossWeb EX process inisafecrosswebexsvc.exe, which had not been modified, by injecting the malicious SCSKAppLink.dll into it. When injected into that host process, the malware connected to a materic.or.kr path to download an additional payload, saved as main_top[1].htm and copied to C:\Users\Public\SCSKAppLink.dll. ASEC linked the activity to broader Lazarus operations against defense and chemical-sector targets and listed related malware families including LazarAgent, LazarShell, Outlook infostealers, port scanners, keyloggers, and multiple C2 URLs and hashes.