In April 2021, a suspicious Word document with a Korean file name and decoy was detected. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, researchers came to the conclusion that the Andariel group was behind these attacks. Andariel is considered a sub-group of Lazarus. The threat actor has been spreading the third stage payload from the middle of 2020 onwards and leveraged malicious Word documents and files mimicking PDF documents as infection vectors. In addition to the final backdoor, one victim was discovered getting infected with custom ransomware. It adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.