Over the past two years, Fox-IT and NCC Group have tracked a sophisticated Lazarus subgroup targeting financial and cryptocurrency firms.
This actor overlaps with AppleJeus, Citrine Sleet, UNC4736 and Gleaming Pisces campaigns and leverages three distinct remote access trojans (RATs)—PondRAT, ThemeForestRAT and RemotePE—to infiltrate and control compromised systems.
In a 2024 incident response case, the group conducted a multi-stage intrusion that illustrates its advanced tactics, techniques and procedures (TTPs).
In mid-2024, an employee at a decentralized finance firm was lured into a Telegram conversation by an attacker impersonating a colleague and directed to a spoofed meeting site.
Shortly thereafter, PondRAT was deployed on the victim’s Windows machine. Forensics revealed a sudden drop in endpoint logging—consistent with a suspected Chrome zero-day exploit—that enabled code execution without detection.
Over the next three months, the actor harvested credentials and network topology data using PondRAT in concert with custom tools (screenshotter, keylogger and browser dumper) and public utilities such as Mimikatz and the Fast Reverse Proxy client.
After reconnaissance, the actor removed PondRAT and ThemeForestRAT artifacts and installed a more advanced RAT named RemotePE, likely to maintain deeper access for high-value targets.
The attack chain comprised four phases: social engineering, exploitation, discovery and next-stage deployment.
PondRAT: A “Firstloader” with PoolRat Lineage
PondRAT, referred to in macOS samples as “firstloader,” surfaced in 2021 and has been tied to AppleJeus and PyPI-based distribution campaigns.
It communicates with a hardcoded C2 over HTTPS, encoding messages with XOR then Base64. Commands range from file I/O and process execution to in-memory PE loading and shellcode injection.
PondRAT shares numerous similarities with the older POOLRAT/SimpleTea family: identical XOR keys, function names and status-code concatenation, as well as a peculiar bot-ID generation scheme and secure file-erasure routine that overwrites and renames temporary files repeatedly.
Unlike POOLRAT, PondRAT lacks timestomping and C2 configuration files, likely reflecting its role as a lightweight loader.
ThemeForestRAT has evaded public analysis despite at least six years of use. Loaded in memory—often via PondRAT—it supports over twenty commands, including secure file deletion, timestomping, RDP-triggered callbacks and in-process shellcode injection.
On Windows, it spawns two threads: one (legacy) creating a temporary Z802056 folder and another monitoring console and RDP sessions to optionally execute configured commands. Configuration is stored in netraid.inf (43 KB RC4-encrypted) and defines C2 URLs, hibernation intervals and optional console commands.
Its C2 protocol uses HTTP(S) file transfers prefixed with “ThemeForest_” and “Thumb_.” ThemeForestRAT shares core design features with 2013’s RomeoGolf RAT—two signalling threads, config-file timestomping and unique-ID routines—suggesting code inheritance within Lazarus.
The functionality to detect and copy data from newly attached logical drives has been removed in ThemeForestRAT, while leaving the temporary directory creation intact.
RemotePE: The Advanced Next Phase
Once environmental footing was secured, the actor swapped its simpler RATs for RemotePE. Retrieved via a DPAPI-protected loader that resists disk recovery, RemotePE is a C++-based RAT with enhanced operational security, including refined file-renaming cleanup mirroring PondRAT’s method.
Evidence of RemotePE’s deployment marks the actor’s shift to a quieter, more capable second stage—presumably reserved for high-value victims.
This Lazarus subgroup’s persistent use of social engineering, suspected zero-day exploitation and custom RAT chains underscores its adaptability and resourcefulness. Organizations in the financial and cryptocurrency sectors should:
- Harden endpoint telemetry to detect sudden logging drop-offs indicative of rootkit loading.
- Monitor for phantom-DLL loading via services like SessionEnv and IKEEXT.
- Inspect abnormal Windows Performance Monitor files (perfh*.dat) in System32 for embedded loaders.
- Audit HTTP(S) traffic for anomalous file-transfer patterns, including unusual “ThemeForest_” or “Thumb_” requests.
- Adopt multi-factor authentication and strict privilege management to limit lateral movement.
By understanding the TTPs of PondRAT, ThemeForestRAT and RemotePE, defenders can anticipate the actor’s next moves and fortify their networks against this determined threat.
Indicators of Compromise
| Indicator Type | Value | Associated Threat or Note |
|---|---|---|
| Domain | calendly[.]live | Fake calendly.com |
| Domain | picktime[.]live | Fake picktime.com |
| Domain | oncehub[.]co | Fake oncehub.com |
| Domain | go.oncehub[.]co | Fake oncehub.com |
| Domain | dpkgrepo[.]com | Potential Chrome exploitation |
| Domain | pypilibrary[.]com | Visited by msiexec.exe after dpkgrepo[.]com |
| Domain | pypistorage[.]com | SessionEnv service connection |
| Domain | keondigital[.]com | LPEClient server, SessionEnv connection |
| Domain | arcashop[.]org | PondRAT C2 |
| Domain | jdkgradle[.]com | PondRAT C2 |
| Domain | latamics[.]org | PondRAT C2 |
| Domain | lmaxtrd[.]com | ThemeForestRAT C2 |
| Domain | paxosfuture[.]com | ThemeForestRAT C2 |
| Domain | www[.]plexisco[.]com | ThemeForestRAT C2 |
| Domain | ftxstock[.]com | ThemeForestRAT C2 |
| Domain | www[.]natefi[.]org | ThemeForestRAT C2 |
| Domain | nansenpro[.]org | ThemeForestRAT C2 |
| Domain | aes-secure[.]net | RemotePE payload/C2 |
| Domain | azureglobalaccelerator[.]com | RemotePE payload/C2 |
| Domain | azuredeploypackages[.]net | Injected process connection |
| IP Address | 144.172.74[.]120 | Fast Reverse Proxy server |
| IP Address | 192.52.166[.]253 | Quasar malware parameter |
| File/Path | %TEMP%tmpntl.dat | Windows keylogger output |
| File/Path | C:WindowsTempTMP01.dat | Windows keylogger error |
| Filename | netraid.inf | ThemeForestRAT Windows config |
| File/Path | /var/crash/cups | ThemeForestRAT Linux config |
| File/Path | /private/etc/imap | ThemeForestRAT macOS config |
| File/Path | /private/etc/krb5d.conf | POOLRAT macOS config (CISA 2021) |
| File/Path | /etc/apdl.cf | POOLRAT Linux config |
| File/Path | %SystemRoot%system32apdl.cf | POOLRAT Windows config |
| File/Path | /tmp/xweb_log.md | POOLRAT, PondRAT Linux error log |
| Filename | perfh011.dat | PerfhLoader encrypted payload |
| Filename | hsu.dat | SysInternals ADExplorer output (actor) |
| Filename | pfu.dat | SysInternals Handle viewer output (actor) |
| Filename | fpc.dat | Fast Reverse Proxy config |
| Filename | fp.exe | Fast Reverse Proxy executable |
| Filename | tsvipsrv.dll | Phantom-loaded by actor (SessionEnv) |
| Filename | wlbsctrl.dll | Phantom-loaded by actor (IKEEXT) |
| Filename | adepfx.exe | SysInternals ADExplorer (legit) |
| Filename | hd.exe | SysInternals Nthandle.exe (legit) |
| Filename | msnprt.exe | Proxymini SOCKS proxy (actor) |
| File/Path | %LocalAppData%IconCache.log | Browser/data dumper, Mimikatz-based |
| File/Path | /private/etc/pdpaste | macOS keylogger file path |
| File/Path | /private/etc/xmem | macOS keylogger output |
| File/Path | /private/etc/tls3 | macOS screenshotter output |
| File/Path | %LocalAppData%MicrosoftSoftwareCache | Windows screenshotter output |
| File/Path | c:windowssystem32cmui.exe | Themida-packed Quasar |
This table presents each indicator, type, and related malicious or suspicious note for rapid threat reference.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
