Bitdefender describes a North Korea-linked Lazarus recruiting scam that used LinkedIn job offers to push targets toward a malicious project repository. The code hid an obfuscated script that loaded a cross-platform stealer for Windows, macOS, and Linux, harvesting browser logins and cryptocurrency wallet extension data before staging more payloads. Follow-on Python and .NET components collected host fingerprints, added Defender exclusions, configured Tor proxy communication, and ran modules for keylogging, reconnaissance, file collection, and C2 access. The source frames the activity as part of DPRK job-lure operations aimed at credentials, crypto assets, and potentially sensitive enterprise access.