210730_MWS_상세분석보고서_최근_Lazarus그룹의_공격방식과_ᄌ_RNaRl2b.pdf (928 KB)

Sands Lab tracked Lazarus Group document malware collected from malwares.com that impersonated companies including Rheinmetall, GM, and Airbus. The campaign used malicious Word documents with similar VBA scripts, Base64 encoded payloads, split script components for antivirus evasion, sandbox delay logic, C2 downloads, and explorer.exe injection. The report links the tradecraft to earlier Lazarus HWP attacks from 2019 and assesses the corporate lure documents as likely Lazarus activity.