A sample shared as possible Lazarus malware was assessed as a North Korean backdoor likely representing a newer version of PEBBLEDASH. The campaign used a 64-bit dropper with a PDF icon and a decoy Oracle scheduled maintenance report tied to South Korean IT context, with Unison Co Ltd. assessed as the likely target. The dropper installed iconcache.tmp.pif under C:\ProgramData and set persistence through a registry run key before the backdoor decrypted its C2 at www.addfriend[.]kr and entered a remote-command loop. The backdoor supports process creation, token impersonation, file read/write, DLL registration via regsvr32, shell command execution, screenshot capture, host and adapter discovery, persistence removal, and self-deletion. Data sent to C2 uses sep, sid, and encrypted data parameters, with response data appearing to be AES-encrypted and base64-encoded.