Lazarus targeted aviation organizations and security researchers with social engineering and trojanized tooling. MicroStep observed Lockheed Martin and Google recruitment lure documents using remote template injection to load DLL backdoors derived from NppShell, with C2 including mante.li, bmanal.com, shopandtravelusa.com, industryinfostructure.com, and canyonzcc.com. The same activity set modified SumatraPDF so a specific PDF MD5 could trigger downloads from industryinfostructure.com, and it bundled a malicious component into an IDA Pro installer that created a scheduled task and loaded idahelper.dll. The reporting ties these techniques to Lazarus tradecraft and says the likely objective against researchers was theft of high value exploit knowledge.