DBAPPSecurity's Lieying Lab attributed a series of cryptocurrency-sector attacks to Lazarus, noting repeated activity against blockchain and cryptocurrency organizations and a recent attack on deBridge. The campaign used phishing emails with attachments or links to malicious archives, including lures such as Ledger Nano security patch manuals and job descriptions aimed at cryptocurrency companies including woo.network. A analyzed ZIP delivered a disguised LNK file that copied and renamed msiexec.exe, invoked it through pcalua.exe, downloaded a remote MSI, and executed embedded scripts to open a decoy PDF, create Edge.lnk persistence, inspect antivirus-related processes with WMI, and run a second-stage JavaScript command loop. The report highlights Lazarus' evolution from Office macros and mshta-based LNK execution toward MSI-based payload delivery, renamed LOLBins, obfuscation, and file-sharing-themed infrastructure such as documentshare[.]info, fclouddown[.]co, googlesheet[.]info, and 155.138.219[.]140.