ESRC attributed a Telegram-delivered malicious Excel workbook to Lazarus APT activity after finding it under a victim’s Telegram Desktop download path. The file used an Auto_Open macro built from old sample code to create and run a PowerShell script intended for bot-style command-and-control activity. ESRC observed that the PowerShell component shared C2 communication traits and code with earlier Lazarus tooling and was live at analysis time, collecting victim information and monitoring additional payloads. The report assessed the targeting and tool overlap as consistent with a focused attack rather than broad indiscriminate distribution.