SlowMist assessed a state-level APT campaign targeting cryptocurrency exchanges and attributed it to Lazarus Group after forensic analysis and correlation over recent incidents. The attackers used social engineering to persuade employees to run disguised Python projects such as `StockInvestSimulator-main.zip` and `MonteCarloStockInvestSimulator-main.zip`, then abused `pyyaml` `yaml.load` behavior for RCE and malware delivery. The intrusion path described local device compromise, Docker `privileged: true` abuse for privilege escalation, internal scanning, exploitation of enterprise services, SSH key theft, and lateral movement toward wallet servers. Reported infrastructure and identities included `gossipsnare[.]com`, `showmanroast[.]com`, `getstockprice[.]info`, `eclairdomain[.]com`, `replaydreary[.]com`, several GitHub accounts, and Telegram `@tanzimahmed88`. The stated objective was to obtain wallet control and transfer large amounts of cryptocurrency while using legitimate enterprise tools, VPN traffic, and log or sample deletion to obscure activity.