Active since at least 2009, Lazarus is the most active North Korean state-sponsored hacking group, with numerous factions operating under its umbrella. Believed to have orchestrated various high-profile cyberattacks, the group stole $400 million worth of crypto-assets last year.

Two different macro-enabled decoy documents masquerading as job opportunities at American global security and aerospace giant Lockheed Martin were used in the January 2022 Lazarus campaign, both carrying compilation timestamps of April 2020.

As part of the first of the observed attacks, malicious macros embedded within the Word document are executed to perform various injections and to achieve persistence. Furthermore, the code hijacks the control flow to execute code in memory.