Trend Micro analyzed a Lazarus RATANKBA variant discovered in June 2017 that moved from a traditional PE executable form to PowerShell while retaining its HTTP-based command protocol. Backend access showed victim data, with roughly 55% of observed RATANKBA PowerShell victims located in India and neighboring countries, including likely employees at web software development companies in India and South Korea rather than large banks. The infection chain used lure documents such as Office files, malicious CHM files, and script downloaders themed around software development or digital currencies, then dropped a backdoor that posted host data and polled a JSP-based C2 for jobs. The controller could queue host-manipulation tasks, execute commands, inject DLLs from URLs, kill the backdoor, and retrieve results, while observed operator artifacts suggested interest in cryptocurrencies including Bitcoin and NEO.