GenDigital observed a multi-stage DeceptiveDevelopment-style attack chain that used a mock hiring assessment and fake camera-update flow to trick users into copying and running a malicious command disguised as an NVIDIA-related update. The infection downloaded and extracted an archive, launched an embedded Python environment through a VBS script, and ran heavily obfuscated Python code that the researchers say aligns with known Lazarus APT tactics. The payload chain stole browser and email credentials with WebBrowserPassView and MailPassView, installed MeshAgent for remote access, deployed a PyInstaller component for file and secret extraction via FTP, and harvested cryptocurrency-related browser extensions and local folders. Reported indicators include the assessment URL assessdome[.]com/invite/7e462f3c/8002565804, C2 metakenproxy[.]com:81, and hashes for the VBS script, Python script, credential tools, MeshAgent, and ChromeUpdate.exe. The activity matters for DPRK-focused tracking because it combines social engineering against job seekers or developers with credential theft, persistence, remote access, and cryptocurrency targeting.