Researchers describe a likely targeted DPRK campaign that begins with a compiled AppleScript disguised as a .docx file named like an OTC collaboration proposal, suggesting a cryptocurrency-related lure. The initial script performs macOS checks for CPU, OS version, and language, then contacts endesway[.]life and drops additional AppleScript masquerading as a software update tool. Later shell and JavaScript stages distinguish ARM from Intel macOS hosts, collect OS, memory, network, and process data, and download a NodeJS environment using the zx package for command execution and C2 communication. The chain installs persistence through a LaunchAgent, runs default.js, and includes file-upload functionality for exfiltration and possible follow-on commands or modules, with hashes and URLs provided for detection.