Ddos 
Fox-IT and NCC Group have released a detailed joint analysis exposing how a Lazarus Group subgroup continues to refine its tradecraft against the financial and cryptocurrency sector. The report examines three custom remote access trojans (RATs)—PondRAT, ThemeForestRAT, and RemotePE—and highlights the group’s persistence and adaptability in long-running campaigns.
According to the report, “In all cases, the actor used social engineering as an initial access vector. In one case, we suspect a zero-day might have been used to achieve code execution on one of the victim’s machines.”
The subgroup often impersonates real employees of trading companies via Telegram, luring targets with fake scheduling websites. Fox-IT noted, “We found traces matching a social engineering technique… posing as employees of investment institutions on Telegram.”
The investigation reveals a multi-stage infection strategy:
- PondRAT – A lightweight RAT acting as a loader and initial foothold. It supports file operations, process execution, and shell commands. The report calls it “a simple RAT… its authors seem to refer to the malware as firstloader.”
- ThemeForestRAT – A stealthier second-stage implant, resident in memory only. It supports over 20 commands, including file operations, process management, shellcode injection, and persistence manipulation. Researchers highlight, “ThemeForestRAT remains a relevant and capable tool for this actor… it is used as a stealthier second-stage RAT with more functionality.”
- RemotePE – The final, more advanced payload. Unlike the others, RemotePE uses Windows’ DPAPI for encryption, demonstrating higher operational security. The report states, “We found evidence that the actor cleaned up PondRAT and ThemeForestRAT artifacts and subsequently installed RemotePE, potentially signifying a next stage in the attack.”
The subgroup relies on PerfhLoader, a custom loader exploiting phantom DLL loading. As Fox-IT notes, “The actor leveraged the SessionEnv service for persistence… enabling loading kernel drivers, which can bypass or disable Endpoint Detection and Response (EDR) tools.”
By staging RATs in memory and wiping earlier artifacts, the attackers reduce forensic visibility while maintaining long-term control.
Alongside the custom implants, attackers deployed credential harvesters, screenshot tools, keyloggers, proxy utilities, and even public tools like Mimikatz and FRP. Fox-IT researchers observed, “Interestingly, the Fast Reverse Proxy client we found was the same client found in the 3CX compromise by Mandiant.”
The report underscores that Lazarus operations remain persistent, financially motivated, and technically adaptable. “This is a capable, patient, financially motivated actor who remains a legitimate threat,” Fox-IT and NCC Group conclude.
The strategic use of multiple RATs—simple loaders like PondRAT, stealthy implants like ThemeForestRAT, and advanced payloads like RemotePE—demonstrates a tiered approach to intrusion, persistence, and stealth, optimized for long-term espionage and financial exploitation.
Related Posts:
- North Korean Hackers Gleaming Pisces Poisoned Python Packages Target Linux & macOS
- Earth Longzhi’s Cyber Attack: New Techniques Target Asia-Pacific Organizations
- Vultur Android Malware Spreads Its Wings, Poses Serious Threat to Mobile Users
- Google AI Studio Changes: Gemini 2.5 Pro No Longer Free
- Temptation from Money: Lazarus APT extended to cryptocurrencies
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
