Microstep Intelligence says Lazarus continues to target cryptocurrency-related personnel through fake recruiting and research projects posted on LinkedIn, X, Facebook, GitHub, and Stack Overflow. After moving victims into Telegram conversations, the operators lure them into installing trojanized cross-platform projects or fake conferencing software such as FCCCall, including Windows and macOS versions. The analyzed Windows FCCCall MSI uses a Qt6 application and a legitimate-looking video meeting window to hide wallet-data theft, contacts C2 at 185.235.241.208:1224, and uploads browser cryptocurrency wallet extension data. Follow-on Python payloads downloaded from the same infrastructure provide host reconnaissance, file theft, shell execution, clipboard and keylogging functions, process/window monitoring, browser-stealer execution, and AnyDesk-based remote control, showing continued DPRK interest in lightweight JavaScript and Python tooling for crypto theft.