The APT known as Lazarus conducted spear phishing attacks with weaponized documents masquerading as Lockheed Martin. These weaponized documents perform a series of injections to achieve startup persistence on the victims system. As part of this killchain the Windows Update service is abused for payload execution and Github is utilzed as a C2 to deliver remote commands.
Malwarebytes researches have shared a full synopsis here:
MITRE ATT&CK Lazarus profile:
https://attack.mitre.org/groups/G0032/
Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim ‘Korean Leaks’ Data Heist Article Link: https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.html Emergency Alerts Go Dark After Cyberattack on OnSolve CodeRED
Lesson from the Cloudflare Outage: Don’t Jump to Conclusions About External Threats Article link: https://www.scworld.com/perspective/lesson-from-the-cloudflare-outage-dont-jump-to-conclusions-about-external-threats Google Chrome Bug Exploited as an 0-Day – Patch
