The fake pdf attached to the "PURCHASE ORDER 05-30-2023" email contains a link, from which you download a tgz file with a TAR, inside which there is an exe: the malware.
Cybercrime, Lazarus targets blockchain companies with TraderTraitor
Lazarus targets blockchain companies with TraderTraitor. The North Korea’s APT uses spear phishing emails to cryptocurrency firm employees that mimic recruitments for high-paying jobs: Goal: to download the malware
North Korea’s state-sponsored hackers are targeting blockchain companies. It has been denounced by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department. Lazarus (aka APT38, BlueNoroff and Stardust Chollima) used AppleJeus trojanized cryptocurrency applications targeting individuals and companies—including cryptocurrency exchanges and financial services companies—through the dissemination of cryptocurrency trading applications that were modified to include malware that facilitates theft of cryptocurrency. The APT targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spear phishing campaigns and malware to steal cryptocurrency. Intrusions begin with a large number of messages sent to employees of cryptocurrency companies, often working in DevOps, on a variety of communication platforms. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, named “TraderTraitor.”