AhnLab documented a Lazarus DLL side-loading variant that abuses the legitimate Microsoft wmiapsrv.exe binary to load malicious wbemcomn.dll and netutils.dll files from the same directory. The wbemcomn.dll backdoor includes a host validation routine that uses GetSystemFirmwareTable output to decrypt a resource string and load a follow-on file only on the intended system. The related netutils.dll sample loads C:\ProgramData\Microsoft Editor\editor.dat without the same validation step and carries a PDB path pointing to a 7-Zip loader build environment. AhnLab detects the activity as Trojan/Win.LazarLoader variants and lists related MD5 indicators for the malicious DLLs.