Secureworks reports that Lazarus Group, tracked internally as NICKEL ACADEMY, targeted cryptocurrency-company financial executives with a spearphishing lure for a CFO role at a European-based cryptocurrency company. The phishing attachment was a Microsoft Word document that prompted the victim to enable editing and macros, then displayed a decoy job description while installing a first-stage RAT in the background. Secureworks says the lure text appeared to be copied from open-source recruitment material, consistent with earlier NICKEL ACADEMY tradecraft. The attribution is based on shared macro and RAT elements with prior Lazarus campaigns and components of a custom C2 protocol previously seen in NICKEL ACADEMY operations, while the broader context shows North Korean interest in bitcoin dating back to at least 2013.