The Lazarus Group, a North Korean-linked threat actor, has been targeting nuclear engineers with a new malware called CookiePlus as part of its long-running Operation Dream Job cyber espionage campaign. In January 2024, Lazarus used trojanized VNC apps disguised as job assessment tools to infect at least two employees at a nuclear-related organization, deploying a modular backdoor. The attacks involved distributing malicious archives containing AmazonVNC.exe or UltraVNC, which sideloaded a DLL to install malware like MISTPEN, RollMid, and LPEClient. CookiePlus, masquerading as a Notepad++ plugin, serves as a downloader for additional payloads and allows C2 communication via encoded cookies. This campaign highlights Lazarus' evolving arsenal, contributing to North Korea's record $1.34 billion stolen from cryptocurrency hacks in 2024, reflecting increased sophistication and frequency of attacks.