AhnLab reports that Lazarus exploited zero-day vulnerabilities in Korean finance and enterprise security products VestCert and TCO!Stream, expanding beyond previously abused INISAFE CrossWeb EX and MagicLine4NX software. In the VestCert case, users with vulnerable Windows installations who visited a compromised website triggered PowerShell via a third-party library flaw to download and execute malware such as WinSync.dll. For internal propagation, Lazarus used TCO!Stream clients listening on TCP 3511, sending crafted command packets that caused clients to retrieve and run attacker-prepared files from the TCO!Stream server, including loadconf.exe and related backdoor components. ASEC says the vulnerabilities were reported to KISA and patched, but manual updates were required on affected systems.