Telsy analyzed Lazarus Group samples tied to the AppleJeus operation, again using a trojanized cryptocurrency trading application as the initial lure. The campaign packaged a malicious version of QtBitcoinTrader in an MSI installer that dropped files under %appdata%/QtBitcoinTrader and scheduled the legitimate CertEnrollCtrl.exe executable. The infection chain used DLL side-loading to load dsparse.dll, which executed shellcode and launched an embedded final backdoor. The backdoor supported multiple commands and communicated over HTTP over TLS with digitalguarder.com, which resolved to 198.54.121.240 and used a Domain Control Validated Sectigo certificate similar to prior AppleJeus infrastructure.