McAfee ATR observed a 2020 Operation North Star activity set using malicious job-offer documents to target aerospace and defense interests and install data-gathering implants. The activity used legitimate defense-contractor job postings as lures, template injection in Office documents to fetch remote DOTM templates, and Visual Basic macros that loaded DLL implants on victim systems. McAfee linked the 2020 indicators and TTPs to prior 2017 and 2019 activity attributed by the U.S. government to Hidden Cobra, the North Korea-linked umbrella that includes Lazarus, Kimsuky, KONNI, and APT37. The campaign used compromised infrastructure across multiple European countries for command and control and implant distribution, supporting victim identification and intelligence collection against strategically sensitive sectors.