Kaspersky observed the Gopuram backdoor in the 3CX supply-chain attack and connected the campaign to Lazarus with medium to high confidence after finding links to earlier AppleJeus and cryptocurrency-targeting activity. Gopuram was deployed to fewer than ten infected computers, with infections increasing in March 2023 and a specific focus on cryptocurrency companies. The backdoor supports file-system interaction, process creation, and in-memory modules, and Kaspersky assessed it as the main implant and final payload in that attack chain. The excerpt also tracks Lazarus’s DeathNote cluster from cryptocurrency lures using malicious Word documents to defense, academic, IT, and regional targets using remote template injection, trojanized PDF viewers, vulnerable South Korean security software, DLL side-loading, Mimikatz, stealers, BLINDINGCAN, COPPERHEDGE, and ServiceMove lateral movement. The progression shows Lazarus refining infection chains and payload deployment across cryptocurrency and defense-related victims over several years.