Researchers linked RustyAttr activity to Lazarus with moderate confidence based on tactical and infrastructure overlap with campaigns such as RustBucket. The malware targets macOS by hiding payload retrieval logic in extended file attributes and using Tauri applications signed with a leaked Apple certificate. Execution displays a decoy error message or PDF while malicious JavaScript retrieves the extended attribute content and runs it through a Rust backend. Reported indicators include support.cloudstore.business, support.docsend.site, and multiple hashes, but the source notes no confirmed victims or follow-on payloads.