Unit 42 identified continued Blockbuster-linked attack activity targeting individuals associated with United States defense contractors. The campaign used weaponized Microsoft Office documents with malicious macros and decoys copied from defense-contractor job descriptions and internal policy themes, marking a shift from earlier Korean-language targeting to English-speaking targets. The report ties the activity to prior Operation Blockbuster-related operations through reused macro source code, XOR keys, PE payload behavior, fake TLS communications, direct IPv4 C2 beaconing, and overlapping hosting paths and infrastructure. Indicators include weaponized document hashes, C2 or hosting IPs such as 210.202.40[.]35 and 104.192.193[.]149, and payload or document URLs on compromised systems.