Three Lazarus RATs coming for your cheese

Sept. 3, 2025, 8:38 p.m.

Description

This report analyzes three remote access trojans (RATs) used by a Lazarus subgroup targeting financial and cryptocurrency organizations: PondRAT, ThemeForestRAT, and RemotePE. It details an incident response case from 2024 involving social engineering and possible zero-day exploitation. PondRAT is described as a simple initial access tool, while ThemeForestRAT is a more capable memory-only RAT used in conjunction. RemotePE appears to be an advanced RAT deployed in later attack stages. The analysis reveals connections between these tools and previously known Lazarus malware like POOLRAT. The report highlights the actor's persistence, sophistication, and continued threat to financial targets.

External References

https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese
https://otx.alienvault.com/pulse/68b87b65a4bb4c1c6d37b3a2
Tags
rat
social engineering
cryptocurrency
zero-day
poolrat
pondrat
financial
2025-09-02
remotepe
themeforestrat
2025-09-03

Date

  • Created: Sept. 3, 2025, 5:31 p.m.
  • Published: Sept. 3, 2025, 5:31 p.m.
  • Modified: Sept. 3, 2025, 8:38 p.m.

Attack Patterns

  • Lazarus

Additional Informations

  • Finance