NCC Group RIFT analyzed Lazarus-linked macro documents that execute shellcode without the more commonly detected WriteProcessMemory or CreateThread APIs. The macros trigger through a Microsoft Forms ActiveX control, allocate an executable heap, decode shellcode from hardcoded UUID strings via UuidFromStringA, and execute it through a callback parameter in EnumSystemLocalesA. The activity aligns with Lazarus tradecraft involving phishing documents disguised as job descriptions, including LinkedIn-themed lures previously documented in Operation In(ter)ception. Confirmed artifacts include persistence under ProgramLogs, scheduled tasks such as ProgramLogsSrv.job and IntelGfx.job, copied Windows utilities, and command lines retrieving custom CSS or XSL resources from domains including crmute[.]com and advantims[.]com. The technique matters because it shows how Lazarus macro loaders can abuse legitimate Windows API behavior to reduce detection by endpoint controls.