Two samples submitted by the same Hungarian incident responder are presented as linking Lazarus Group to Medusa ransomware activity: gaze.exe, a Medusa encryptor, and TSMSISrv.dll, a Lazarus-detected DLL sideloading loader. The ransomware's XOR-decoded configuration contains four Tor .onion addresses, a victim-specific negotiation endpoint, a Tox chat ID, an RSA public key, shadow-copy deletion commands, and service kill lists targeting security, backup, and database tooling. The loader masquerades as a Windows 8 IME SDK component, runs through the SessionEnv service as SYSTEM, uses COM hijacking for persistence, and includes TLS callbacks plus custom AES tables for anti-analysis and encrypted communications. A seven-month gap between the March 2025 loader build and October 2025 ransomware build supports a patient access-then-extortion chain, with the PDB path suggesting Medusa builder output rather than in-house ransomware development.