360 researchers attribute a malicious archive campaign to APT-C-26/Lazarus, reporting exploitation of WinRAR path traversal CVE-2025-8088 through a file named Pharos.rar. The archive is disguised as a Pharos Automation Bot project and abuses NTFS Alternate Data Stream handling to drop 1.bat into the Windows Startup folder when extracted. The infection chain displays a fake Windows Defender update warning, downloads and runs an obfuscated Python loader from Dropbox, installs Python if needed, adds persistence, and retrieves Tsunami Injector and additional payloads. The final Blank Grabber configuration steals Chromium and Firefox browser data, Discord and Telegram sessions, Wi-Fi credentials, gaming sessions, and seed or private-key material from more than 20 cryptocurrency wallets including MetaMask, Exodus, and Electrum. The cryptocurrency-themed lure and enabled theft functions make the campaign especially relevant to defenders tracking Lazarus operations against crypto users and developers.