Lazarus Group Deploys Three Remote Access Trojans on Compromised Systems, Potentially Exploiting 0-Day Vulnerability

A sophisticated subgroup of the Lazarus threat actor has emerged recently, deploying three distinct Remote Access Trojans (RATs) across compromised financial and cryptocurrency organisations. Initial access has primarily been achieved through tailored social engineering campaigns on Telegram, where attackers impersonate legitimate employees of well-known trading firms. Victims are lured to counterfeit meeting websites, such as fake Calendly and Picktime portals, where a suspected Chrome zero-day exploit facilitates silent code execution on the victim’s machine. Once inside the network, the attackers deploy PondRAT as a first-stage loader, followed by the stealthier ThemeForestRAT, which operates purely in memory. After several months of reconnaissance and lateral movement, the Lazarus subgroup cleans up earlier artifacts and installs the more advanced RemotePE RAT to solidify long-term access. Analysts from Fox-IT and NCC Group have noted that the speed and precision of this infection chain underscore the actor’s advanced capabilities and deep familiarity with both custom and publicly available tooling.

The impact of this campaign extends beyond simple credential theft, as the trio of RATs enables file manipulation, shellcode injection, RDP session monitoring, and secure file exfiltration. Organisations in decentralised finance (DeFi) have reported significant disruptions, with hidden backdoors allowing continuous data harvesting and opportunistic lateral pivots for subsequent supply-chain intrusions. Despite widespread awareness of Lazarus activity, this subgroup’s use of fresh malware families and suspected zero-day exploits has caught many defenders off guard. The group’s refined operational security demonstrates an ability to blend custom loaders with Windows phantom DLL hijacking and DPAPI encryption. Analysts have identified that PerfhLoader abuses the SessionEnv service via phantom DLL loading to persistently execute PondRAT or its predecessor, POOLRAT. The loader decrypts an opaque payload file, such as perfh011.dat, using a rolling XOR cipher before in-memory execution. 

Categories: Cybersecurity Threats, Remote Access Trojans, Social Engineering Attacks 

Tags: Lazarus, Remote Access Trojan, Social Engineering, Telegram, Zero-Day Exploit, PondRAT, ThemeForestRAT, RemotePE, Infection Mechanism, Decryption