Trend Micro observed Lazarus, particularly the Bluenoroff subgroup, planting backdoors on machines at financial institutions in Latin America in September 2018. The attack reused a modularized backdoor approach resembling earlier Lazarus activity, with service-installed loader DLLs named AuditCred or ROptimizer loading an encrypted Msadoz backdoor in memory. Configuration files such as Auditcred.dll.mui or rOptimizer.dll.mui stored command-and-control data, while the encrypted backdoor resided under %Program Files%\Common Files\System\ado to complicate discovery and removal. The malware could collect drive and file information, download additional malware, manage processes, inject code, delete files, and run in a passive listening mode, making it a serious threat to targeted financial organizations.