Suspected Lazarus operators targeted deBridge Finance employees with a phishing email impersonating co-founder Alex Smirnov and claiming to share salary-adjustment information. The lure used an HTML file posing as a PDF and a Windows LNK masquerading as a password text file; execution retrieved a payload, displayed a fake password in Notepad, checked for selected security products, and established startup persistence when they were absent. The malware collected host details such as username, operating system, CPU, network adapters, and running processes before awaiting C2 instructions. BleepingComputer tied the activity to Lazarus/CryptoCore/CryptoMimic through filename and infrastructure overlaps with earlier Coinbase-themed attacks against cryptocurrency firms.