Nurilab analyzes malware distribution that mirrors the Lazarus ClickFix technique, in which a fake CAPTCHA page persuades the victim to copy and run a script through social engineering. The script downloads an rzy.mp3 file from the web server and executes it with mshta, despite the MP3 extension hiding malicious script content. The report follows multiple de-obfuscation and decryption stages that eventually generate a binary and load it into memory, making it relevant for defenders hunting script-driven ClickFix delivery and mshta abuse.