Alyac reports continued Lazarus activity against overseas defense companies, including new malicious Word documents named LM_IFG_536R.docx, BAE_JD_2020.docx, and Boeing_AERO_GS.docx. The documents use an external template relationship to retrieve attacker-controlled macro content, matching earlier May samples with defense-themed filenames. The macro decodes and drops wsdts.db as a DLL, sets persistence through a OneDrive.lnk startup entry, and runs hidden code via rundll32.exe export functions. The decoded payload collects the infected host's computer name, user name, storage details, and process list, Base64-encodes the data, sends it to astedams.it infrastructure, and attempts additional downloads.