Sep 02, 2025Ravie LakshmananMalware / Menace Intelligence
The North Korea-linked risk actor often called the Lazarus Group has been attributed to a social engineering marketing campaign that distributes three completely different items of cross-platform malware known as PondRAT, ThemeForestRAT, and RemotePE.
The assault, noticed by NCC Group’s Fox-IT in 2024, focused a company within the decentralized finance (DeFi) sector, in the end resulting in the compromise of an worker’s system.
“From there, the actor carried out discovery from contained in the community utilizing completely different RATs together with different instruments, for instance, to reap credentials or proxy connections,” Yun Zheng Hu and Mick Koomen stated. “Afterwards, the actor moved to a stealthier RAT, possible signifying a subsequent stage within the assault.”
The assault chain begins with the risk actor impersonating an current worker of a buying and selling firm on Telegram and utilizing pretend web sites masquerading as Calendly and Picktime to schedule a gathering with the sufferer.
Though the precise preliminary entry vector is presently not recognized, the foothold is leveraged to deploy a loader known as PerfhLoader, which then drops PondRAT, a recognized malware assessed to be a stripped-down variant of POOLRAT (aka SIMPLESEA). The cybersecurity firm stated there’s some proof to counsel {that a} then-zero-day exploit within the Chrome browser was used within the assault.
Additionally delivered together with PondRAT are quite a lot of different instruments, together with a screenshotter, keylogger, Chrome credential and cookie stealer, Mimikatz, FRPC, and proxy applications like MidProxy and Proxy Mini.
“PondRAT is an easy RAT that permits an operator to learn and write information, begin processes, and run shellcode,” Fox-IT stated, including it dates again to at the least 2021. “The actor used PondRAT together with ThemeForestRAT for roughly three months, to afterwards clear up and set up the extra refined RAT known as RemotePE.”
The PondRAT malware is designed to speak over HTTP(S) with a hard-coded command-and-control (C2) server to obtain additional directions, with ThemeForestRAT launched instantly in reminiscence both by way of PondRAT or a devoted loader.
ThemeForestRAT, like PondRAT, screens for brand new Distant Desktop (RDP) classes and contacts a C2 server over HTTP(S) to retrieve as many as twenty instructions to enumerate information/directories, carry out file operations, execute instructions, take a look at TCP connection, timestomp file primarily based on one other file on disk, get course of itemizing, obtain a information, inject shellcode, spawn processes, and hibernate for a particular period of time.
Fox-IT stated ThemeForestRAT shares similarities with a malware codenamed RomeoGolf that was put to make use of by the Lazarus Group within the November 2014 harmful wiper assault in opposition to Sony Footage Leisure (SPE). It was documented by Novetta as a part of a collaborative effort often called Operation Blockbuster.
RemotePE, then again, is retrieved from a C2 server by RemotePELoader, which, in flip, is loaded by DPAPILoader. Written in C++, RemotePE is a extra superior RAT that is possible reserved for high-value targets.
“PondRAT is a primitive RAT that gives little flexibility, nonetheless, as an preliminary payload it achieves its objective,” Fox-IT stated. “For extra advanced duties, the actor makes use of ThemeForestRAT, which has extra performance and stays beneath the radar as it’s loaded into reminiscence solely.”
