The North Korea-linked cybercriminal organization Lazarus Group has been connected to a sophisticated social engineering campaign deploying three types of cross-platform malware: PondRAT, ThemeForestRAT, and RemotePE.

According to research by NCC Group’s Fox-IT, the attack was detected in 2024 and targeted a company in the decentralized finance (DeFi) sector, eventually compromising an employee’s workstation.

“The attackers conducted reconnaissance within the compromised network using multiple RATs and supporting tools to harvest credentials and proxy connections,” said Fox-IT researchers Yun Zheng Hu and Mick Koomen. “They later transitioned to a stealthier RAT, indicating progression to the next stage of the operation.”

Attack Vector and Initial Compromise

The intrusion began with Lazarus Group impersonating an employee of a trading firm on Telegram, while directing the victim to fraudulent scheduling websites disguised as Calendly and Picktime.

Although the exact initial access vector is still uncertain, evidence suggests the attackers may have exploited a zero-day vulnerability in Google Chrome. Once inside, they deployed a loader named PerfhLoader, which delivered PondRAT, a streamlined variant of POOLRAT (aka SIMPLESEA).

Malware Capabilities

Alongside PondRAT, the attackers deployed various tools, including:

• Keyloggers and screenshot utilities
• Chrome credential and cookie stealers
• Mimikatz for credential dumping
• Proxy tools like FRPC, MidProxy, and Proxy Mini

PondRAT provides basic remote access capabilities such as reading/writing files, executing processes, and running shellcode. Its communication is handled over HTTP(S) with a hard-coded command-and-control (C2) server.

ThemeForestRAT, launched in memory either via PondRAT or a dedicated loader, supports more advanced operations. It can execute up to 20 commands, including file management, command execution, TCP testing, timestomping, process enumeration, and shellcode injection.

Researchers noted similarities between ThemeForestRAT and RomeoGolf, malware previously attributed to Lazarus during the 2014 Sony Pictures Entertainment attack, part of Operation Blockbuster.

Finally, RemotePE — deployed through RemotePELoader and DPAPILoader — is a C++-based, advanced RAT reserved for high-value targets.

Attack Progression

Fox-IT explained that the attackers used PondRAT and ThemeForestRAT simultaneously for roughly three months before transitioning to the stealthier and more capable RemotePE.

“PondRAT is simple but effective as an initial payload,” Fox-IT stated. “ThemeForestRAT offers greater flexibility, while RemotePE represents the more advanced stage of Lazarus operations.”

Key Takeaway

This campaign highlights Lazarus Group’s ongoing evolution and its ability to combine social engineering, zero-day exploits, and custom malware to target high-value organizations in sectors like DeFi. Security teams must remain vigilant against increasingly sophisticated multi-stage attack chains leveraging both well-known and novel malware families.

Source: https://thehackernews.com/2025/09/lazarus-group-expands-malware-arsenal.html