Group-IB observed a Windows BeaverTail variant attributed to Lazarus alongside JavaScript BeaverTail distribution through trojanized ReactJS games packaged as NPM-based projects. The Windows sample masqueraded as a conferencing application named FCCCall.exe, consistent with earlier trojanized conferencing-app activity such as MiroTalk. BeaverTail’s described behavior includes stealing cryptocurrency wallet data, expanding targeted browser extensions to Kaikas, Rabby, Argent X, and Exodus Web3, and retrieving the InvisibleFerret next stage. The excerpt provides C2 and hash indicators, supporting detection for Lazarus-linked wallet theft and developer- or crypto-focused infection attempts.