Kaspersky's Q3 2021 APT trends report says Lazarus attacked the defense industry with the MATA malware framework, using a trojanized application trusted by the intended victim. The execution chain began with a downloader that fetched additional malware from compromised C2 servers, and Kaspersky obtained several MATA components, including plugins. The report links the campaign more strongly to Lazarus through MATA evolution, stolen certificate use, and downloader ties to TangoDaiwbo, then separately notes updated DeathNote activity against a South Korean think tank and an IT asset monitoring vendor.