Objective-See analyzed a malicious macOS disk image, MiroTalk.dmg, distributed from a cloned Miro Talk site and tied in the source to North Korean activity and Palo Alto Networks Unit 42’s job-themed campaign reporting. The unsigned app contained a Qt/QMake-built Mach-O binary named Jami that exposed browser-data and keychain access paths, cryptocurrency wallet extension IDs, upload/download functions, and command-and-control communication with 95.164.17[.]24:1224. Runtime testing showed the binary attempting to read the macOS login keychain and exfiltrate data to that server, while follow-on payload retrieval through endpoints such as /client/99 appeared to fail during analysis. The same API endpoint patterns were linked to BeaverTail, suggesting the operators had moved from a JavaScript implementation toward a native macOS version used in social-engineering lures.