QiAnXin RedDrip analyzed a set of PE samples attributed by code similarity to Lazarus APT's Andariel sub-group, with activity beginning at least in February 2022 based on VirusTotal submission times. The samples included loaders that decrypted and memory-loaded backdoors or browser password stealers, and Go-based downloaders that collected host details, persisted through scheduled tasks or startup links, and fetched second-stage PE payloads. Reported infrastructure included 109.248.144.155 on ports 8443 and 8080, mail.usengineergroup.com resolving to 109.248.144.136, and additional PHP paths used for C2 communication. The backdoors used DES-decrypted C2 strings and traffic-like markers similar to previously reported Andariel tooling, while the Go downloader's base64-delimited host profiling matched earlier Lazarus downloader tradecraft. The report matters because it shows Andariel continuing to refresh its malware library, including Go malware likely chosen to reduce detection, while preserving recognizable command, configuration, and C2 patterns.