The APT known as Lazarus conducted spear phishing attacks with weaponized documents masquerading as Lockheed Martin. These weaponized documents perform a series of injections to achieve startup persistence on the victims system. As part of this killchain the Windows Update service is abused for payload execution and Github is utilzed as a C2 to deliver remote commands.
Malwarebytes researches have shared a full synopsis here:
MITRE ATT&CK Lazarus profile:
https://attack.mitre.org/groups/G0032/
Flaw in Hacktivist Ransomware Lets Victims Decrypt Own Files Article Link: https://www.darkreading.com/threat-intelligence/flaw-hacktivist-ransomware-victims-decrypt-files Initial Access Brokers Involved in More Attacks, Including on Critical Infrastructure Article Link:
CISA Warns Microsoft Windows Users—Log Out and Shut Down Article Link: https://www.forbes.com/sites/zakdoffman/2025/12/09/cisa-warns-microsoft-windows-users-log-out-and-shut-down/ Data Brokers are Exposing Medical Professionals, and Turning Their Personal Lives into Open
