MalwareLab analyzed a Lazarus-attributed validator from malicious Word documents impersonating Lockheed Martin and linked the samples to a broader campaign probably aimed at military contractors doing business with South Korea. The documents embedded two DLLs and an additional lure document so victims saw a fuller decoy rather than only a first page, reducing suspicion during execution. The validator used macro-supplied parameters, deleted the infection document path, established autostart persistence, and in some variants unpacked an intermediary DLL before contacting C2 for the next-stage payload. Its configuration used AES keys derived from an MD5 value, included the C2 URL https://www.astedams.it/include/inc-elenco-offerter.asp, collected drive information, and exchanged compressed and base64-encoded binary blobs before loading a received PE in memory. Attribution is explicitly tied to prior reporting that described the same infection scheme and DLL family, rather than independent attribution from the sample alone.