Microsoft investigated DEV-0139 activity targeting cryptocurrency investment companies through carefully prepared Telegram social engineering. The actor joined VIP cryptocurrency exchange communication groups, impersonated OKX-linked contacts, and moved employees into a secondary chat before sending a weaponized Excel file named OKX Binance & Huobi VIP fee comparision.xls. The macro used VBA UserForm obfuscation to drop VSDB688.tmp, retrieve a PNG from od.lk, and extract logagent.exe, a malicious wsock32.dll, and an XOR-encoded backdoor for DLL side-loading and remote access. Microsoft also connected the technique to a CryptoDashboardV2 MSI variant that side-loaded DUser.dll via TPLink.exe, indicating repeated use of DLL proxying against cryptocurrency-sector targets.