Bitso’s Quetzal team describes a highly targeted North Korean Chollima/Lazarus social-engineering attempt against fintech and crypto personnel. A fake recruiter using the name “Wilton Santos” asked the researcher to patch a DApp repository, but the apparently clean code contained a failing bootstrap path whose catch handler pulled code from an external API and executed it via require. Sandbox execution showed the payload was OtterCookie, a stealer associated with ContagiousInterview that targets browser password managers and crypto-wallet extensions. The report links the activity to broader tactics used against engineers through fake coding tasks and against executives through fake Zoom-fix lures. Listed indicators include chainlink-api-v3.cloud, 135.181.123.177, a Bitbucket download URL, several SHA256 hashes, and a Solana wallet address.