APT-C-28, also tracked as ScarCruft or Konni, is reported targeting cryptocurrency and Web3 job or investment contexts with spear-phishing ZIP archives containing LNK files disguised as PDFs. The LNK launches obfuscated CMD, PowerShell, and dynamically compiled C# code to decrypt an embedded payload, collect host and file information, and avoid second-stage execution on apparent Google Compute Engine sandbox hosts. Victims that pass the checks receive AutoIt3.exe and an AU3 script from techcross-wne[.]com paths, producing the MiradorShell v2.0 reverse backdoor. MiradorShell connects to 65.21.182[.]178:443, supports shell access, file upload and download, directory listing, deletion, remote execution, scheduled-task persistence, and hardware-derived victim fingerprinting. The campaign matters because it combines Web3-themed social engineering, likely compromised Korean infrastructure, and a full-featured AutoIt backdoor for post-compromise control.