NTT Security Japan reported changes in CryptoMimic activity, a financially motivated targeted attack group also known as Dangerous Password, CageyChameleon, Leery Turtle, or CryptoCore and described as having possible Lazarus links. The group continued targeting financial institutions, especially cryptocurrency-related organizations in Japan and other countries, while updating Cabbage RAT and msoRAT tradecraft. Since around June 2020, observed attacks shifted from VBScript to JScript Cabbage RAT components, delivered through ZIP files containing decoy documents and LNK shortcut files received via email or LinkedIn-linked URLs. The newer dropper used mshta.exe to download and run JScript, opened Google Drive-hosted decoy documents, created startup-folder persistence, and added checks for BitDefender and Symantec products.