Redazione RHC : 2 September 2025 14:38
Recently, an advanced subgroup linked to the notorious threat actor Lazarus was detected distributing three different remote access Trojans (RATs) within compromised financial and cryptocurrency organizations. Initial access was achieved primarily through social engineering campaigns conducted on Telegram, where attackers pretended to be legitimate employees of major commercial companies.
Fake dating websites, including fake portals like Calendly and Picktime, lure victims, who are reached via a Chrome zero-day exploit that allows silent code execution on their computers.
Once inside the network, attackers deploy PondRAT as a first step, then use the more difficult-to-detect ThemeForestRAT, which runs only in memory.
The use of new malware families and suspected exploits zero-day took many defenders by surprise. Adding to the urgency is the group’s sophisticated operational security, which demonstrates the ability to combine custom loaders with Windows DLL hijacking and DPAPI encryption.
Following months of exploration and strategic maneuvering, Lazarus optimizes previous access by eliminating unnecessary artifacts and proceeds to install an advanced RemotePE RAT to ensure sustained control.
The following are the 3 RATs (Remote Access Trojans) used in the campaign:
Analysts at Fox-IT and NCC Group have observed that the speed and accuracy of this infection chain highlight the author’s advanced capabilities and deep familiarity with custom and publicly available tools.
Analysts have noted that the SessionEnv service is being exploited by PerfhLoader loads fake DLLs to continuously run PondRAT or its predecessor POOLRAT. A non-transparent payload file (such as perfh011.dat) is decoded by the loader using an XOR encryption algorithm before being executed in memory.
After decryption, PerfhLoader leverages an open-source manual DLL loader to inject PondRAT into memory without writing executable files to disk, allowing for stealthy reconnaissance and data exfiltration.
Redazione