Torisma downloads and executes modules from external servers, and its infection spreads via malicious Word files. JPCERT/CC analysed Torisma samples are DLL files and executed as an argument of rundll32.exe. The malware’s configuration, communication protocol and modules are described in the following sections. Torisma uses encryption, downloading and executing modules and executing additional modules. They are provided in the code in the format in PEa format in the provided code as not, not PEa.”]
Source: https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html