Unit 42 observed a North Korea-linked macOS campaign targeting job-seeking software developers in the cryptocurrency sector through fake recruiter or employer interactions and malicious development projects. The activity used RustDoor binaries masquerading as legitimate software updates and a previously undocumented macOS Koi Stealer variant impersonating Visual Studio. RustDoor attempted to steal LastPass Chrome extension data, exfiltrate it to visualstudiomacupdate[.]com, download reverse-shell scripts from apple-ads-metric[.]com, and connect to 31.41.244[.]92 over TCP 443. Koi Stealer collected the username, password, hardware UUID, installed applications, browser data, FileZilla files, OpenVPN profiles, Steam data, and cryptocurrency wallet-related files after prompting the victim for administrator credentials. The campaign matters because it shows suspected North Korean operators continuing job-themed social engineering against crypto-sector developers while adapting macOS stealers and evasion techniques.