Check Point observed malicious Office documents uploaded from Russian sources that appeared tailored to Russian organizations and showed intrinsic connections to Lazarus tactics, techniques, and tools, while noting attribution limits. The infection chain used a ZIP containing a benign PDF decoy and a macro-enabled Word document; macros either downloaded a VBS stage from Dropbox-like infrastructure or later skipped directly to downloading the final payload. The VBS stage retrieved a CAB disguised as a JPEG from a compromised Iraqi server and expanded it with Windows expand.exe into the KEYMARBLE Lazarus backdoor. The activity was notable because it suggested North Korea-linked operators targeting Russian entities, an unusual victim set compared with the group’s better-known South Korean, U.S., Japanese, financial, and cryptocurrency operations.