Lazarus used a signed macOS executable in a fake Coinbase job-offer campaign aimed at financial-technology and Web3 workers. ESET found a universal Intel/Apple silicon build that dropped FinderFontsUpdater.app, a safarifontagent downloader, and a decoy “Coinbase_online_careers_2022_07” PDF matching the Windows lure. The sample was signed with a developer certificate issued to Shankey Nohria but was not notarized, and its downloader contacted a different C2 server that was already offline during analysis. ESET linked the activity to Operation In(ter)ception, a Lazarus campaign known for using fake employment opportunities against aerospace, military, and cryptocurrency-related targets.