Lazarus Hackers Deploying Three RATs on Compromised Systems Possibly Using 0-Day Vulnerability

A sophisticated subgroup of the Lazarus threat actor has surfaced in recent months, deploying three distinct remote access trojans (RATs) across compromised financial and cryptocurrency organizations.

Initial access has primarily been achieved via tailored social engineering campaigns on Telegram, where attackers impersonate legitimate employees of well-known trading firms.

Victims are lured to counterfeit meeting websites, such as fake Calendly and Picktime portals, where a suspected Chrome zero-day exploit then facilitates silent code execution on the victim’s machine.

Once inside the network, the attackers immediately deploy PondRAT as a first-stage loader, followed by the stealthier ThemeForestRAT running purely in memory.

After several months of reconnaissance and lateral movement, the Lazarus subgroup cleans up earlier artifacts and installs the more advanced RemotePE RAT to solidify long-term access.

Fox-IT and NCC Group analysts noted that the speed and precision of this infection chain underscore the actor’s advanced capabilities and deep familiarity with both custom and publicly available tooling.

The impact of this campaign extends beyond simple credential theft: the trio of RATs enables file manipulation, shellcode injection, RDP session monitoring, and secure file exfiltration.

Organizations in decentralized finance (DeFi) have reported significant disruptions, with hidden backdoors allowing continuous data harvesting and opportunistic lateral pivots for subsequent supply-chain intrusions.

Despite widespread awareness of Lazarus activity, this subgroup’s use of fresh malware families and suspected zero-day exploits has caught many defenders off guard.

Adding urgency, the group’s refined operational security demonstrates an ability to blend custom loaders with Windows phantom DLL hijacking and DPAPI encryption.

Analysts identified that PerfhLoader abuses the SessionEnv service via phantom DLL loading to persistently execute PondRAT or its predecessor POOLRAT.

The loader decrypts an opaque payload file (e.g., perfh011.dat) using a rolling XOR cipher before in-memory execution.

Below we have mentioned all three RATS:-

• PondRAT
• ThemeForestRAT
• RemotePE

Infection Mechanism: Rolling XOR Decryption and In-Memory Execution

A critical element in the Lazarus infection mechanism lies in the decryption and loading of encrypted payloads directly into process memory.

PerfhLoader, a lightweight custom loader, resides in %SystemRoot%System32 and reads a seemingly innocuous DLL file encrypted via a rolling XOR algorithm.

The Python pseudocode below illustrates this cipher, which continually mutates its key with each processed byte:

def crypt_buf(data: bytes) -> bytes:
    xor_key = bytearray(range(0x10))
    buf = bytearray(data)
    for idx in range(len(buf)):
        a = xor_key[(idx + 5) & 0xF]
        b = xor_key[(idx - 3) & 0xF]
        c = xor_key[(idx - 7) & 0xF]
        xor_byte = a ^ b ^ c
        buf[idx] ^= xor_byte
        xor_key[idx & 0xF] = xor_byte
    return bytes(buf)

By employing this ever-evolving XOR key, the loader thwarts signature-based detection and forensic carving of its payload.

After decrypting, PerfhLoader leverages an open-source manual DLL loader to inject PondRAT into memory without writing executable files to disk, enabling stealthy reconnaissance and data exfiltration operations.

This in-memory execution strategy, combined with a suspected Chrome zero-day for initial compromise, underlines the threat actor’s sophistication and justifies heightened vigilance among cybersecurity professionals.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.