Anheng’s Hunting Shadow Lab reported suspected Lazarus activity, likely associated with the BlueNorOff subgroup, targeting venture capital and cryptocurrency themes through encrypted document lures. The samples used ZIP files containing protected PDFs and fake Password.txt LNK files that executed obfuscated commands, launched mshta, fetched HTA scripts, and deployed follow-on payloads. One analyzed chain contacted hobobot[.]net, downloaded cry.exe and then crypto.exe from filebin[.]net, and ended with a Cobalt Strike payload using 100.26.34[.]10 as its team server. The report highlights a continuation of Lazarus cryptocurrency targeting since at least 2017, with evolution from macro/VBS delivery toward LNK, mshta, and more heavily obfuscated PowerShell while retaining similar social-engineering patterns.