A Korean malware analysis of three AlienVault-published samples links a Monero cryptocurrency miner to suspected North Korea-related activity, noting the broader context of Lazarus shifting toward financial targets. The samples appear to be successive builds of the same project, adding functionality from version 1 through version 3 and deploying components under paths such as C:\Windows\Sys64\updater.exe and C:\Windows\Sys64\intelservice.exe. The latest sample launches the miner with parameters pointing to barjuok.ryongnamsan.edu.kp:5615 and a long wallet address believed to be associated with Monero mining. The report matters because it preserves early technical evidence of DPRK-linked cryptocurrency-mining activity, including hashes, file paths, execution behavior, and mining infrastructure defenders can validate.