S2W links the Willo Campaign to TraderTraitor and describes a North Korea-backed phishing operation against cryptocurrency employees, including developers and sales staff. The activity used malicious NPM packages in June 2024, a Versus X-themed installer in July 2024, and LinkedIn job-offer lures from December 2024 that sent victims to a fake Willo video-interview page and prompted them to run malicious commands. The final malware, GopherGrabber, is a Go-based multi-platform backdoor and stealer that communicates with command-and-control servers over HTTP/S using MD5 hashing and RC4-encrypted packets. S2W assesses the campaign as strongly tied to TraderTraitor while noting a weak infrastructure overlap with UNC5221 through an SSL certificate match.