The APT known as Lazarus conducted spear phishing attacks with weaponized documents masquerading as Lockheed Martin. These weaponized documents perform a series of injections to achieve startup persistence on the victims system. As part of this killchain the Windows Update service is abused for payload execution and Github is utilzed as a C2 to deliver remote commands.
Malwarebytes researches have shared a full synopsis here:
MITRE ATT&CK Lazarus profile:
https://attack.mitre.org/groups/G0032/
CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange Article Link: https://thehackernews.com/2025/10/cisa-and-nsa-issue-urgent-guidance-to.html U.S. Stands Out in Refusal to Sign UN Cybercrime Treaty
AWS Outage Exposes ‘Dangerous’ Over-Reliance on US Cloud Giants Article Link: https://www.datacenterknowledge.com/outages/aws-outage-exposes-dangerous-over-reliance-on-us-cloud-giants Microsoft Threatens to Ram Copilot into Exchange Server On-Prem Article Link: https://www.theregister.com/2025/10/23/copilot_exchange_server/ Ransomware
