SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Shadowy cyber attackers at computers in dark room with digital code
#
Phishing
#
Advanced Persistent Threat Protection
#
Email Security

Lazarus subgroup deploys trio of RATs in finance sector attacks

Wed, 10th Sep 2025
Author image
By Shannon Williams, Journalist

NCC Group and Fox-IT researchers have released joint research analysing three remote access trojans (RATs) deployed by a Lazarus subgroup targeting organisations within the financial and cryptocurrency sectors.

The analysis documents previously unpublicised similarities between the malware families PondRAT and POOLRAT (also known as SimpleTea), as well as providing the first public discussion of ThemeForestRAT, a tool in use for at least six years. The research is based on multiple incident response engagements conducted by both organisations over the past few years.

Threat actor targeting financial sector

The identified Lazarus subgroup is associated with activity previously linked to AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces. The actor's operations leverage a range of RATs, namely PondRAT, ThemeForestRAT, and a more advanced tool dubbed RemotePE, often in conjunction with custom and publicly available tooling.

An incident in 2024 at a decentralised finance company revealed the progression of the attack across four phases: social engineering to gain initial access; exploitation, which led to deployment of PondRAT; a discovery phase involving various tools and credential harvesting; and in the next phase, the removal of initial payloads in favour of RemotePE deployment.

This research is about a Lazarus subgroup that we have encountered multiple times during incident response engagements. This is a capable, patient, financially motivated actor who remains a legitimate threat.

The researchers noted the use of sophisticated social engineering campaigns, with attackers impersonating employees from trading companies on platforms such as Telegram. Use of fake meeting scheduling services was observed, and although initial access methods were not clearly established, there was suspicion of a Chrome zero-day exploit, supported by a sudden change in system monitoring logs around the time of compromise.

Persistence and tooling

The attackers established persistence using the Windows SessionEnv service through phantom DLL loading, placing a loader referred to as PerfhLoader in the system directory. Modifications to system registry privileges allowed for actions such as kernel driver loading, which can circumvent endpoint security measures.

Various tools were identified, including keyloggers, screenshotting utilities, browser dumpers for chromium-based browsers, as well as proxy tools such as MidProxy and public tools like Mimikatz and frp. Interestingly, the Fast Reverse Proxy client used matched the version found in the earlier 3CX supply chain incident.

PondRAT analysis

PondRAT is a simple RAT referred to as "firstloader" in internal build metadata. It enables operators to read and write files, start processes, and execute shellcode, and serves primarily as an initial stage loader for other payloads. The earliest sample tracked dates to 2021. PondRAT is considered a successor to POOLRAT, with code overlaps in function, class naming, bot ID generation, and file handling routines.

Both PondRAT and POOLRAT share a characteristic file handling behaviour: when removing temporary files created during command execution, random bytes overwrite the content, and the filename is successively renamed in a specific pattern before deletion.

ThemeForestRAT findings

ThemeForestRAT, named for a C2 protocol string, has been used by this subgroup for at least six years without prior public reporting. Written in C++, it exhibits more features than PondRAT, including support for over twenty commands, directory and process enumeration, secure deletion, configuration updates, and shellcode injection on Windows.

The RAT is typically injected into memory for stealth. Its configuration allows for C2 server rotation, command execution under active console sessions, and adaptive hibernation between C2 contacts. It is also capable of cross-platform operation, with versions identified for Windows, Linux, and macOS.

ThemeForestRAT shares operational similarities with RomeoGolf, a RAT previously detailed in the Operation Blockbuster report on Lazarus activity, including bot ID generation methods, signalling threads for RDP and USB events, and configuration file handling.

RemotePE and attack progression

In advanced stages, the subgroup removed its initial RATs and deployed RemotePE, which the researchers describe as more advanced and operationally elegant. RemotePE is delivered by a loader that is encrypted using Windows Data Protection API (DPAPI) and enables tailored operations against high-value targets. The tactic of replacing earlier tools with RemotePE may indicate a move to higher-security operation for more interesting or lucrative victims.

The RAT also features the distinct file renaming and deletion strategy seen in previous Lazarus toolchains, perhaps to hinder forensic recovery.

Indicators and detection

The researchers have published detailed indicators of compromise, including domain names, file paths, and hash values observed during investigation. Notably, these include domains mimicking scheduling services, C2 domains for each RAT, and file artefacts associated with the tools described.

In addition, YARA rules have been made available to assist organisations in hunting for PerfhLoader, RemotePE, ThemeForestRAT, and related artefacts within their environments.

Summary of research

NCC Group and Fox-IT highlight a consistent pattern of activity by this financially motivated threat actor: initial access through customised social engineering, sustained access maintained using simple loaders like PondRAT, operational flexibility and stealth with ThemeForestRAT, and eventual escalation to more advanced tooling such as RemotePE in high-value scenarios.

We first discussed an incident response case from 2024, where this actor impersonated employees of trading companies to establish contact with potential victims. Though the method of achieving initial access remains unknown, we suspect a Chrome zero-day was used.
After initial access, two RATs were used in combination: PondRAT and ThemeForestRAT. Though PondRAT has already been discussed, there are no public analyses of ThemeForestRAT at the time of writing. For persistence, phantom DLL loading was used in conjunction with a custom loader called PerfhLoader.
PondRAT is a primitive RAT that provides little flexibility, however, as an initial payload it achieves its purpose. It has similarities with POOLRAT/SimpleTea. For more complex tasks, the actor uses ThemeForestRAT, which has more functionality and stays under the radar as it is loaded into memory only.
Lastly, we found the actor replaced ThemeForestRAT and PondRAT with the more advanced RemotePE. A detailed analysis of the RemotePE will be published in the near future.
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Blackwired unveils AI-powered upgrades to predict cyber-attacks
Check Point scores 99.59% in top firewall security report by NSS
Singapore rewards researchers with USD $250,000 for bug bounties
Cloud breaches driven by identity failures & process flaws
Retailers hit by ransomware face higher USD $2 million demands

Top stories

Avanade unveils suite of Microsoft-powered tools for midmarket firms
Forrester predicts AI errors to cost B2B firms over USD $10 billion
Ping Identity launches platform to secure & manage AI agents
Gigamon unveils quantum-safe cryptography in GigaVUE update
Barracuda unveils AI assistant to boost security team efficiency