AhnLab observed increased Lazarus activity against defense-related targets using Office Open XML Word documents themed around BAE Systems, Boeing, and U.S.-ROK diplomatic security. The documents reached external template URLs to download macro-enabled .dotm files, then AutoOpen VBA deleted the original lure, displayed a benign document, and created architecture-specific DLLs under Microsoft-looking paths. The DLL execution used exported functions with unique argument strings, abused SQLite-related functionality for information theft, and launched additional rundll32.exe activity. Collected information was sent by POST to C2 infrastructure such as www.astedams[.]it/newsl/offerte-news.asp, with related template URLs hosted on astedams[.]it and od.lk.