The Lazarus Group, linked to North Korea, conducted a social engineering campaign targeting a DeFi organization, deploying multiple cross-platform malware including PondRAT, ThemeForestRAT, and RemotePE. This sophisticated attack involved credential harvesting, lateral movement, and the use of zero-day exploits, emphasizing the evolving tactics of threat actors. #LazarusGroup #DeFiSecurity
Keypoints
- The Lazarus Group used social engineering to initiate the attack, impersonating employees on Telegram.
- The attack began with the deployment of PerfhLoader, which dropped PondRAT, a lightweight remote access tool.
- The malware chain included ThemeForestRAT for more covert operations and RemotePE for high-value targets.
- Multiple tools such as keyloggers, credential stealers, and proxy programs were used to facilitate the attack.
- The attackers possibly exploited a Chrome zero-day vulnerability, highlighting the use of zero-day exploits in complex cyber campaigns.
Read More: https://thehackernews.com/2025/09/lazarus-group-expands-malware-arsenal.html