Lazarus operators used LinkedIn recruiter personas to approach finance and travel-sector targets with a supposed decentralized exchange project. After collecting a CV or GitHub link, the attackers shared a GitHub or Bitbucket repository containing obfuscated scripts that downloaded next-stage payloads from remote infrastructure. The campaign used a cross-platform JavaScript infostealer against browser cryptocurrency wallet extensions on Windows, macOS, and Linux, then installed a Python backdoor for persistence, clipboard monitoring, remote access, and additional malware delivery. Reported indicators included support.cloudstore[.]business, support.docsend[.]site, 104.168.165[.]203, and a filedn[.]com URL.