Lazarus Group Enhances Malware Toolkit with PondRAT, ThemeForestRAT, and RemotePE

Sep 02, 2025
Malware / Threat Intelligence

The North Korea-linked threat actor, Lazarus Group, has been linked to a social engineering campaign that distributes three new cross-platform malware variants: PondRAT, ThemeForestRAT, and RemotePE. This attack, observed by NCC Group’s Fox-IT in 2024, specifically targeted an organization within the decentralized finance (DeFi) sector, resulting in the breach of an employee’s system.

“As the actor accessed the internal network, they utilized various RATs along with other tools to collect credentials and establish proxy connections,” noted Yun Zheng Hu and Mick Koomen. “Subsequently, the attacker transitioned to a more stealthy RAT, indicating a potential progression in their attack strategy.”

The attack began with the threat actor impersonating a current employee of a trading firm via Telegram and using counterfeit websites resembling Calendly and Picktime to arrange a meeting with the target. Although the initial steps were…

Lazarus Group Enhances Malware Capabilities with New Tools: PondRAT, ThemeForestRAT, and RemotePE

On September 2, 2025, cybersecurity researchers revealed that the Lazarus Group, a North Korean-affiliated threat actor, has expanded its malware toolkit. This development includes the introduction of three distinct pieces of cross-platform malware: PondRAT, ThemeForestRAT, and RemotePE. The attack vector, uncovered by NCC Group’s Fox-IT analysts in 2024, primarily targeted an organization within the decentralized finance (DeFi) sector, illustrating a significant risk profile for companies operating in this volatile market.

The operation commenced when the Lazarus Group impersonated an employee from a trading firm through Telegram. Utilizing phishing techniques, the attackers created counterfeit websites resembling legitimate scheduling platforms such as Calendly and Picktime to arrange a meeting with their intended victim. This method of social engineering underscores the increasing sophistication of threat actors who prioritize psychological manipulation to breach security perimeters.

Once the attackers gained initial access, they compromised an employee’s system, allowing them to explore the network extensively. Utilizing a combination of Remote Access Trojans (RATs) and various tools, the advanced persistent threat actor could harvest sensitive credentials and establish proxy connections. According to cybersecurity experts Yun Zheng Hu and Mick Koomen, this stage of the attack demonstrates a calculated approach to network reconnaissance, leveraging different RATs for enhanced operational efficiency.

Following the initial phase, the group transitioned to a more stealthy RAT, indicating a strategic evolution within the attack cycle. With this shift, it is likely that the attackers aimed to further entrench themselves within the victim’s network while minimizing detection risks. Each phase illustrates a careful orchestration that aligns with several tactics identified in the MITRE ATT&CK framework, including initial access, persistence, and privilege escalation.

The incident serves as a reminder of the persistent threat posed by well-funded and organized cybercriminal groups like Lazarus. Companies in the DeFi space, and indeed any sector reliant on digital infrastructure, must remain vigilant to the evolving nature of these attacks, implementing robust cybersecurity measures. As the threat landscape continues to proliferate, understanding these tactics and the tools employed can aid in bolstering defenses and mitigating potential damage.

In summary, the expansion of the Lazarus Group’s malware arsenal underscores an alarming trend in cybercrime, one that presents specific challenges for business owners. With the sophistication of tactics deployed in contemporary breaches, a proactive and informed approach to cybersecurity remains essential in safeguarding organizational assets against such formidable adversaries.

Source link

Related Posts

Unveiling the Hidden Risks of Project Management Tools & How FluentPro Backup Provides Essential Protection

Date: August 28, 2025
Categories: SaaS Security / Business Continuity

Every day, organizations, teams, and project managers depend on tools like Trello and Asana for collaboration and task management. But what happens when that trust is compromised? According to a recent Statista report, the global average cost of a data breach is approximately $4.88 million. Moreover, in 2024, the private data of over 15 million Trello users was exposed on a well-known hacker forum. Despite this, many companies still assume that their platform’s built-in backup systems are sufficient—until they discover otherwise. In the following paragraphs, we will highlight the risks of relying solely on these tools and discuss how cloud backup and recovery solutions can better safeguard your organization against data loss.

Why Are Project Management Tools Increasingly Vulnerable to Data Loss?

Over 95% of businesses today rely on project management tools like Trello and Asana to coordinate tasks, foster collaboration, and track project milestones. However, as project managers become more reliant on these platforms…

Salt Typhoon Exploits Vulnerabilities in Network Edge Devices to Target 600 Organizations Globally

Date: Aug 28, 2025
Categories: Cyber Espionage / Network Security

The advanced persistent threat (APT) group known as Salt Typhoon, linked to China, has ramped up its cyberattacks on networks worldwide, impacting sectors such as telecommunications, government, transportation, hospitality, and military infrastructure. According to a recent joint cybersecurity advisory, these attackers primarily target major telecommunications backbone routers, as well as provider edge (PE) and customer edge (CE) routers. They leverage compromised devices and trusted connections to infiltrate additional networks, often modifying routers to ensure continuous, long-term access. The advisory, issued by authorities from 13 countries, associates this malicious activity with three Chinese firms: Sichuan Juxinhe Network Technology Co., Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd.

TamperedChef Malware Masquerading as Fake PDF Editors Gathers Credentials and Cookies

Cybersecurity Alert: Aug 29, 2025

Cybersecurity experts have uncovered a new cybercrime operation utilizing deceptive advertising techniques to funnel victims to fraudulent websites, leading them to download an information-stealing malware known as TamperedChef. Researchers from Truesec—Mattias Wåhlén, Nicklas Keijser, and Oscar Lejerbäck Wolf—reported on the findings, revealing that the goal is to entice victims into installing a Trojan PDF editor. This malicious software is designed to capture sensitive information, including login credentials and web cookies. The scheme primarily leverages multiple fake sites to promote a free PDF editor named AppSuite PDF Editor. Once downloaded and executed, the software prompts users to agree to its terms of service and privacy policy, all while in the background covertly connecting to an external server to install the actual malware.

Google Alerts: Salesloft Drift Breach Affects All Integrations Beyond Salesforce

Aug 29, 2025
Data Breach / Salesforce

Google has issued a warning regarding the recent surge of attacks on Salesforce instances via Salesloft Drift, revealing that the scope of the breach is wider than initially believed. The advisory advises all Salesloft Drift customers to consider any authentication tokens linked to the Drift platform as potentially compromised. According to the Google Threat Intelligence Group (GTIG) and Mandiant, the attackers utilized stolen OAuth tokens to access emails from a select few Google Workspace accounts on August 9, 2025, following the breach of the OAuth tokens for the “Drift Email” integration. Importantly, this incident does not represent a compromise of Google Workspace or Alphabet itself. Only accounts specifically set up to integrate with Salesloft were at risk; other accounts on a customer’s Workspace remained secure.