Red Asgard identifies five trojanized browser extensions tied to a Lazarus/Contagious Interview extension layer, masquerading as Bitwarden, Phantom, TronLink, Trust Wallet, and a Brave/MetaMask-themed wallet. The extensions resolve their command-and-control base URL at runtime from an Aptos blockchain transaction payload, then send a one-shot identity beacon to `/inz-notify` containing the Chrome profile ID and email from `chrome.identity.getProfileUserInfo()`. Later wallet-data exfiltration uses `/inz` with the same `head` object plus a body payload, letting operators attach stolen wallet artifacts to a browser identity. Shared `manifest.json.commands.__meta` metadata, the common Aptos dead-drop address, and the repeated boot sequence across password-manager and wallet brands make the campaign pattern useful for hunting beyond a single malicious extension.