ThreatBook reported a cluster it named DangerousPassword after finding compressed trojan packages built around cryptocurrency-themed lures such as monthly business reports, job descriptions, project risk briefs, and salary guidance. The activity targeted cryptocurrency companies and used phishing emails to deliver archive files containing encrypted Office decoys plus malicious LNK files disguised as password text files. When opened, the LNK chain retrieved VBScript through bit.ly redirects and attacker infrastructure, displayed the decoy password to the victim, established startup persistence, checked for Chinese antivirus processes, and sent host and process data to C2. Reported infrastructure included 41.85.145.164:8080, showprice.xyz, start.showprice.xyz, drivegoogle.publicvm.com, and more than 100 lookalike domains impersonating Google, Microsoft, Amazon, and related services. The campaign matters because it shows a focused, multilingual social-engineering operation against cryptocurrency businesses with backdoor execution, reconnaissance, persistence, and potential follow-on remote-control tooling.