QiAnXin RedDrip analyzes activity suspected to involve Lazarus using Korean-language lures tied to Daewoo Shipbuilding, resident registration forms, and related East Asian themes. The samples used VBA macros to display decoy content, extract an HTA/JavaScript payload hidden in an image resource, and write a Winvoke.exe loader that decrypted and ran a RAT in memory. The malware established persistence through a startup shortcut, used a Microsoft32 mutex, and supported command execution and in-memory code loading from C2. The source links the activity to Lazarus through similarities in macros, second-stage loader behavior, and encryption traits resembling BISTROMATH RAT, while noting the samples mainly targeted East Asia.