ESET described a Lazarus supply-chain attack in South Korea that abused WIZVERA VeraPort, software commonly used by government and banking websites to install required security components. The attackers compromised websites that already supported VeraPort and replaced legitimate bundled software with Lazarus malware, relying on VeraPort’s acceptance of any valid code-signing certificate rather than verifying the signer’s identity. Two observed samples, Delfino.exe and MagicLineNPIZ.exe, were camouflaged as South Korean security software and signed with certificates issued to ALEXIS SECURITY GROUP and DREAM SECURITY USA. The campaign shows Lazarus using trusted domestic software-distribution workflows and stolen certificates to deliver malware under restrictive preconditions.