Threat Research

Lazarus Targets DeFi with Layered RAT Campaign

Securonix
Lazarus Targets DeFi with Layered RAT Campaign

A Lazarus subgroup targeting financial and cryptocurrency organizations used social engineering and likely a Chrome zero-day to deploy multiple RATs — PondRAT, ThemeForestRAT and RemotePE — progressing from initial loaders to a more advanced in-memory RAT. The actor used phantom DLL persistence via PerfhLoader, extensive discovery tools, and cleaned up artifacts before deploying RemotePE, linking activity to AppleJeus, POOLRAT, Citrine Sleet and Gleaming Pisces. #PondRAT #ThemeForestRAT

Keypoints

  • Actor: Lazarus subgroup with overlaps to AppleJeus, Citrine Sleet, UNC4736 and Gleaming Pisces, focused on financial and cryptocurrency targets.
  • Initial access: social engineering via Telegram impersonation and fake Calendly/Picktime sites; suspected Chrome zero-day in at least one case.
  • Persistence: phantom DLL loading using SessionEnv and PerfhLoader (perfh011.dat) with a rolling XOR cipher and Manual-DLL-Loader for in-memory DLL execution.
  • Tooling & discovery: combination of custom tools (screenshotter, keylogger, browser dumper, MidProxy) and public tools (Mimikatz, frpc, Proxy Mini, Themida-packed Quasar, Fast Reverse Proxy v0.32.1).
  • Malware progression: PondRAT used as an initial loader and C2-connected RAT; ThemeForestRAT used as a stealthier in-memory second-stage RAT; later replaced by a more advanced RemotePE.
  • PondRAT shows notable code and protocol similarities to POOLRAT (SimpleTea), including bot ID generation, command status format, and file deletion/rename strategy.
  • ThemeForestRAT features: cross-platform (Windows/Linux/macOS), RC4-encrypted config, HTTP(S) C2 using ThemeForest_/Thumb_ filenames, >20 commands including shellcode injection and optional execution under active console sessions.

MITRE Techniques

  • [T1598] Phishing – Social engineering via Telegram impersonation and fake meeting websites to trick employees into meetings (“…impersonates an existing employee of a trading company on Telegram and sets up a meeting with the victim, using fake meeting websites.”)
  • [T1204] User Execution – Victim executed or interacted with malicious content delivered through social engineering and fake sites (“…an employee’s machine was compromised through social engineering.”)
  • [T1190] Exploit Public-Facing Application – Suspected Chrome zero-day exploitation to achieve code execution (“…we suspect a Chrome zero-day exploit was used.”)
  • [T1547.011] Hijack Execution Flow: DLL Search Order Hijacking/Phantom DLL Loading – Using vulnerable services (SessionEnv, IKEEXT) and placing malicious DLLs in %SystemRoot%System32 to achieve persistence (“…SessionEnv service is vulnerable to phantom DLL loading… custom TSVIPSrv.dll… PerfhLoader.”)
  • [T1105] Ingress Tool Transfer – Downloading RemotePE via RemotePELoader from C2 and using DPAPI-encrypted payloads on disk (“RemotePE is retrieved from a C2 server by RemotePELoader… encrypted on disk using Windows Data Protection API (DPAPI).”)
  • [T1059] Command and Scripting Interpreter – Execution of shell commands and remote commands via RATs (PondRAT, ThemeForestRAT) including running shellcode and processes (“PondRAT allows an operator to read and write files, start processes and run shellcode.” / “CServer::OnCmdRun… Run command in background and return output”)
  • [T1027] Obfuscated Files or Information – Use of rolling XOR, Base64 encoding, RC4 encryption and DPAPI to obfuscate payloads and configuration (“Messages sent between the malware and the server are XOR-ed first and then Base64-encoded.” / “The configuration file of ThemeForestRAT is encrypted with RC4…”)
  • [T1005] Data from Local System – Collection of credentials and browser data using custom browser dumper and Mimikatz (“Chromium browser dumperActor… Mimikatz Windows secrets dumper”)
  • [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – Use of kernel driver exploitation (VIAGLT64.SYS CVE-2017-16237) in earlier case to gain SYSTEM privileges (“the vulnerable VIAGLT64.SYS kernel driver (CVE-2017-16237) was also used to gain SYSTEM privileges.”)
  • [T1070.006] Timestomp – ThemeForestRAT and POOLRAT/PondRAT timestomping behavior referenced for POOLRAT and configuration file timestomping similarities with RomeoGolf (“POOLRAT has… can timestomp files…” / “Configuration file timestomped to mspaint.exe”)

Indicators of Compromise

  • [domain] Fake meeting and C2 domains – calendly[.]live, picktime[.]live, oncehub[.]co, dpkgrepo[.]com, pypilibrary[.]com, pypistorage[.]com
  • [domain] RAT and payload C2s – arcashop[.]org (PondRAT C2), jdkgradle[.]com (PondRAT C2), latamics[.]org, lmaxtrd[.]com (ThemeForestRAT C2), paxosfuture[.]com (ThemeForestRAT C2), aes-secure[.]net (RemotePE)
  • [ip] Proxy / infrastructure – 144.172.74[.]120 (Fast Reverse Proxy server), 192.52.166[.]253 (used as parameter for Quasar)
  • [filename/path] Persistence and loader artifacts – %SystemRoot%system32tsvipsrv.dll (SessionEnv phantom DLL), wlbsctrl.dll (IKEEXT phantom DLL), perfh011.dat (PerfhLoader encrypted payload)
  • [file] Config / RAT files – netraid.inf (ThemeForestRAT Windows config), /var/crash/cups (ThemeForestRAT Linux config), /private/etc/imap (ThemeForestRAT macOS config)
  • [hash] Loader and RAT binaries – 8c3c8f24… (PerfhLoader), 6510d460… (ThemeForestRAT macOS), 4f6ae011… (PondRAT macOS), 37f5afb9… (RemotePELoader decrypted), and 24d5dd30… (frp v0.32.1) (see Table 7 for full hashes and contexts)

Read more: https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint