Group-IB identified a macOS technique attributed with moderate confidence to Lazarus in which malicious code is hidden inside custom extended attributes rather than in visible application files. The RustyAttr trojans were built with Tauri, used JavaScript-to-Rust calls to read an extended attribute named "test," and executed the embedded shell script while showing either a decoy PDF or a fake unsupported-version dialog. The scripts attempted to fetch follow-on content from staging servers such as support.cloudstore[.]business and support.docsend[.]site, and the infrastructure and hosting context overlapped with earlier Lazarus activity including RustBucket-related files. The samples were signed with a leaked certificate later revoked by Apple, were unnotarized, and were undetected on VirusTotal at analysis time, making the extended-attribute smuggling technique notable for macOS defense and detection engineering.