NSHC ThreatRecon analyzes SectorA01, identified as Lazarus, using malware disguised as cryptocurrency transaction software in activity observed in May 2025. The lure abuses Deriv branding to persuade cryptocurrency-related targets to install a fake Windows trading application built with NSIS and Electron. Execution proceeds through staged components: the installer launches an Electron app that displays the real Deriv site while running server.js in the background, then retrieves obfuscated JavaScript from fashdefi[.]store:6168/defy/v6 and uses eval to execute attacker-supplied code. The JavaScript connects to 144.172.105[.]189:1224 and uses paths such as /uploads, /pdown, and /client/3/102 to exfiltrate browser logins, cryptocurrency wallet files, and extension settings while deploying additional payloads.