ESET identified WinorDLL64 as a Wslink payload and assessed with low confidence that it is connected to Lazarus based on South Korean victim telemetry, timing, development-environment overlap, and behavior/code similarities with GhostSecret and Bankshot-related samples. WinorDLL64 is a backdoor loaded by the Wslink server-style loader and uses an already established encrypted communication context to collect system information, manipulate files, execute commands, and support operator control. The analysis highlights overlaps such as process listing, directory and volume enumeration, file read/write and exfiltration, secure file deletion, process termination, and system-information collection. Supporting infrastructure and tooling evidence includes use of MemoryModule, Oreans Code Virtualizer in the loader, AES-CBC protected communications, and command functionality such as PowerShell execution, directory compression/download, session listing, and connection timing. The finding matters because it adds a concrete Wslink payload to the Lazarus toolset with enough technical detail for defenders to hunt related loader-payload combinations while preserving the report's low-confidence attribution.