The Lazarus group has been targeting Windows web servers, particularly in South Korea, installing webshells and C2 scripts to use compromised servers as proxies. The attacks involve multiple stages, including the use of LazarLoader malware and privilege escalation tools. The C2 scripts act as proxies between the malware and secondary C2 servers. Various webshells were identified, including RedHat Hacker and custom ASP shells. The LazarLoader downloader was used to fetch additional payloads, while a privilege escalation tool exploited UAC bypass techniques. The attackers aim to establish persistence and gain elevated access on compromised systems.