AhnLab reports Lazarus attacks against vulnerable Windows IIS web servers in which malicious activity is launched through the w3wp.exe IIS worker process. The actor places Wordconv.exe, msvcr100.dll, and msvcr100.dat on the server, then uses DLL side-loading so msvcr100.dll decrypts a Salsa20-encoded PE from the .dat file and executes it in memory before cleaning itself up. Follow-on activity includes abuse of a Notepad++ color-picker plugin through diagn.dll, RC6-encrypted payload loading, suspected credential theft from lsass.exe, internal reconnaissance, and RDP lateral movement. AhnLab links msvcr100.dll to earlier Lazarus cylvc.dll-style loaders and recommends monitoring abnormal process relationships and exposed web-server attack surface.