A Korean analysis attributes a Python malware file named config.py to Lazarus activity focused on cryptocurrency theft. The script is designed to collect Chrome and Chromium browser profile data, including cryptocurrency wallet extension storage, cookies, keys, login data, Local Storage, IndexedDB, and related extension files. It targets wallet extensions such as MetaMask, Phantom, Coinbase Wallet, Keplr, and Rabby, then sends data to a hard-coded HTTP C2 at 151.243.101.229:8080. Persistence is established through the HKCU Run key named csshost, and the malware stores host data in files such as .host and .store while beaconing every 20 to 40 seconds. The command protocol uses short tokens for functions such as ping, upload, download, shell access, and automated Chrome collection, making the sample relevant to defenders tracking DPRK cryptocurrency-stealing tradecraft.