360 Advanced Threat Research Institute describes a suspected APT-C-26/Lazarus campaign delivering a malicious ISO themed around promotion of the Somora cryptocurrency wallet to cryptocurrency holders. The ISO contained wallet screenshots and a malicious “Somora Cryptocurrency Wallet” LNK that invoked PowerShell, dropped a decoy PDF, a loader DLL, and encrypted data, then executed the DLL via rundll32. The loader decrypted shellcode that restored and ran a backdoor assessed as a possible NukeSped variant based on code structure, hardcoded C2 behavior, XOR/base64 command handling, and command-execution logic similar to earlier Lazarus samples. The report lists droidnation[.]net/nation.php and long encrypted/hash artifacts as supporting indicators.