This ‘p.zi’ string looked familiar to us as well, even without deobfuscating the code – it is similar to other pieces of malware that have been previously tied to the DPRK and resembles the ‘BeaverTail’ campaign, originally described by Palo Alto’s Unit 42 in this report.

Quote

Sources

Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics