Sangfor attributes a social-engineering operation against cryptocurrency-sector targets to Lazarus based on victimology and technical overlap with earlier Lazarus campaigns against security researchers. Operators allegedly contacted targets over instant messaging and delivered a modified open-source Secure PDF Viewer executable together with an encrypted lure PDF named Android Hardware Wallet.pdf, inducing victims to use the executable to open the document. The viewer checked a marker in the PDF, XOR-decrypted embedded data, dropped MSCache.cpl/CAST.dll, launched it with rundll32, and executed an in-memory downloader that attempted to retrieve a fourth-stage payload from C2. The report notes a Lazarus-like execution format, an image/upload/upload.asp C2 path, and indicators including smartaudpor.com plus MD5 hashes for the delivered components.