A recent investigation reveals that the APT-C-28 (ScarCruft) group has expanded its targets to include the cryptocurrency industry. The group employs sophisticated phishing tactics, using LNK files disguised as PDFs to lure victims with investment proposals ranging from $1-3 million. Upon execution, a multi-stage payload deployment occurs, ultimately installing MiradorShell v2.0 to gain system control. The attack chain involves file downloads, decryption, and the creation of scheduled tasks for persistence. MiradorShell, an AutoIt-based backdoor, connects to a command and control server, offering reverse shell capabilities, file management, remote program execution, and victim fingerprinting. The malware employs various evasion techniques, including inline library files and direct API calls.