360 attributed multiple 2021 attacks to APT-C-26/Lazarus, assessing the activity as aligned with the BlueNoroff branch and focused on cryptocurrency theft. The lure was a Venture Labo Investment Pitch Deck document using remote template injection through CVE-2017-0199, prompting users to enable macros before retrieving attacker-controlled content. The macro read encrypted data from customXml/item1.xml, decoded it, and injected shellcode into explorer.exe on 64-bit systems or notepad.exe on 32-bit systems. The payload contacted cloud.beenos.biz infrastructure, collected host, user, timezone, operating system, hardware, proxy, and process information, encrypted it with AES, and posted it to the C2 while masquerading traffic as image content. The report notes overlap with prior BlueNoroff tradecraft and IOCs, including venturelabo.co and azureword.com infrastructure.