Malwarebytes summarized Volexity’s reporting on a Lazarus Group AppleJeus campaign targeting cryptocurrency users and organizations. The activity used the fake BloxHolder cryptocurrency application and a cloned HaasOnline-themed website at bloxholder[.]com to distribute a Windows MSI installer bundled with QTBitcoinTrader. The installer created a scheduled task to run CameraSettingsUIHost.exe and abused DLL side-loading through dui70.dll and malicious DUser.dll. The campaign fits Lazarus’s long-running use of trojanized cryptocurrency applications to gain access, deploy additional malware, and enable cryptocurrency theft.