QiAnXin reported a Lazarus-attributed targeted campaign using diplomatic-relations themes and Western aerospace recruitment lures, including Boeing-themed documents, to attack specific countries. The samples used remote template injection to fetch macro-enabled DOTM documents, helping evade antivirus detection before macros decoded embedded data and dropped 32-bit or 64-bit DLL payloads. The DLLs deleted the original document, established persistence with a startup-folder LNK, collected host and user information, and contacted C2 for follow-on execution, though the final malware was not recovered. QiAnXin linked the activity to Lazarus through similarities with previously reported Telsy activity, matching macro flow, DLL logic, and backdoor behavior.