Intezer reported a March 2018 Lazarus Group campaign targeting cryptocurrency exchanges, FinTech firms, financial companies, and other cryptocurrency-related organizations with a malicious `Investment Proposal.doc` lure impersonating the Australian law firm Holley Nethercote. The document executed an obfuscated VBA macro that dropped a RAT as `%USERPROFILE%\RuntimeBroker.exe`, established persistence through a Startup shortcut, hid the file with system attributes, decrypted XOR-protected API/import buffers, and used wolfSSL-encrypted C2 communications. Intezer found limited code reuse with earlier Lazarus malware but a largely new codebase, and documented 22 backdoor commands for host reconnaissance, command execution, process control, file theft, deletion, configuration updates, privilege elevation, and server-supplied code injection. The report published two SHA-256 indicators and five C2 IP addresses.