Radiant Capital reports that a September 2024 Telegram lure impersonated a trusted former contractor and delivered a zipped file that was later shared among developers for review. The ZIP contained INLETDRIFT, a macOS backdoor packaged as a legitimate-looking PDF application, using AppleScript to communicate with atokyonews[.]com and establish persistence. The attackers compromised multiple developer devices, staged malicious smart contracts across several chains, and caused front-end interfaces to display benign transaction data while malicious transactions were signed in the background. Mandiant attributed the attack with high confidence to UNC4736, also known as AppleJeus or Citrine Sleet, assessed as a DPRK-nexus actor aligned with the Reconnaissance General Bureau.