ASEC attributed attacks on Windows IIS web servers to Lazarus, reporting that compromised servers were used as malware distribution points for INISAFE CrossWeb EX exploitation. The activity abused vulnerable or poorly managed IIS servers, with malware processes spawned by w3wp.exe and past cases showing web shells, malicious commands, reconnaissance, and possible RDP lateral movement. Lazarus deployed a Themida-packed JuicyPotato privilege-escalation tool as usopriv.exe, checked elevated privileges with whoami commands, and used it to run a DLL loader named usoshared.dat through rundll32. The loader searched for an encrypted data file named {20D1BF68-64EE-489D-9229-95FEFE5F12A4}, expected it to begin with a GIF signature, decrypted configuration and PE content, and executed the payload in memory. ASEC also linked the distribution infrastructure to ongoing attacks against unpatched INISAFE CrossWeb EX installations that attempted to install SCSKAppLink.dll, reinforcing the need for exposed-server hardening and current INITECH product patches.