K7 Computing describes a Lazarus-attributed macOS campaign using a Trojanized UnionCryptoTrader cryptocurrency trading application distributed from unioncrypto.vip. The installer abused a post-install shell script to move a LaunchDaemon plist and loader into system locations, establishing persistence and executing the UnionCrypto updater component. The loader collected the Mac serial number and OS information, posted them to Lazarus command-and-control infrastructure, and could decrypt a returned payload using base64 decoding and AES decryption. Static analysis showed the payload could be executed directly from memory via Mach-O loading APIs or written to disk with executable permissions, highlighting Lazarus experimentation with fileless macOS delivery.