Quetzal details POWerful Armadillo, a newly named DPRK macOS malware family delivered through compromised WhatsApp accounts posing as a WebEx installer. The infection chain begins with a DMG containing a Bash-based installer, then pulls obfuscated Bash, JavaScript/JXA, and AppleScript components that prompt for credentials, steal Keychain, browser, wallet, Telegram, Apple Notes, and user-directory files, and establish LaunchAgent persistence. The persistent JXA agent fingerprints hosts, polls command-and-control, executes remote Bash/AppleScript/JXA tasks, and gates C2 interactions behind a SHA-256 proof-of-work challenge. Reported infrastructure includes 62.60.226.225, hoplokiroute[.]com, a Cloudflare Pages staging domain, multiple staged ASPX-looking URLs, and SHA-256 hashes for the macOS components, making the report useful for tracking DPRK developer- and crypto-focused macOS intrusion tradecraft.