AhnLab identified new Lazarus DLL side-loading variants that use the legitimate Microsoft wmiapsrv.exe module to load malicious wbemcomn.dll and netutils.dll files. The malicious DLLs act as backdoors, and wbemcomn.dll includes a target-verification routine that uses GetSystemFirmwareTable output to decrypt resource strings and load the next file only on specific systems. netutils.dll can load C:\ProgramData\Microsoft Editor\editor.dat without the same verification process, and the excerpt includes PDB information pointing to a loader development path. The behavior is mapped to DLL side-loading under T1574.002 and is presented as part of Lazarus activity against South Korean companies, institutions, think tanks, and related targets.