Field Effect investigated a compromise at a Canadian online gambling provider that it says may be associated with BlueNoroff, a financially motivated North Korean Lazarus subgroup. The victim joined a cryptocurrency-related Zoom meeting with an impersonated trusted contact and was prompted to run a fake Zoom audio repair script that hid malicious curl and zsh commands after thousands of blank lines. The macOS infection chain downloaded scripts from zoom-tech[.]us, collected the user's local password, used sudo, staged malware under Apple-like filenames, and installed LaunchDaemon persistence for privileged execution. Follow-on components communicated with infrastructure including ajayplamingo[.]com, ajayplamingop[.]com, and 23.254.203[.]244 while deploying an infostealer, loader, Wi-Fi Updater component, and a more capable implant. The case shows how contact impersonation and brand-themed troubleshooting lures can give financially motivated DPRK operators hands-on access to macOS systems in gambling, crypto, and fintech-adjacent environments.