{ "id": "dcc3e6db-e168-4ae4-878f-d20841bbc611", "created_at": "2026-04-06T00:10:41.22793Z", "updated_at": "2026-04-10T03:38:19.485921Z", "deleted_at": null, "sha1_hash": "63bf461a96459ff4787809998f79d381e2fa5bcb", "title": "Three Lazarus RATs coming for your cheese", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2525732, "plain_text": "Three Lazarus RATs coming for your cheese\r\nBy Fox-SRT\r\nPublished: 2025-09-01 · Archived: 2026-04-05 23:16:31 UTC\r\nAuthors: Yun Zheng Hu and Mick Koomen\r\nIntroduction\r\nIn the past few years, Fox-IT and NCC Group have conducted multiple incident response cases involving a Lazarus\r\nsubgroup that specifically targets organizations in the financial and cryptocurrency sector. This Lazarus subgroup overlaps\r\nwith activity linked to AppleJeus1, Citrine Sleet2, UNC47363, and Gleaming Pisces4. This actor uses different remote access\r\ntrojans (RATs) in their operations, known as PondRAT\r\n5\r\n, ThemeForestRAT and RemotePE. In this article, we analyse and\r\ndiscuss these three.\r\nFirst, we describe an incident response case from 2024, where we observed the three RATs. This gives insights into the\r\ntactics, techniques, and procedures (TTPs) of this actor. Then, we discuss PondRAT, ThemeForestRAT and RemotePE,\r\nrespectively.\r\nPondRAT received quite some attention last year, we give a brief overview of the malware and document other similarities\r\nbetween PondRAT and POOLRAT (also known as SimpleTea) that have not yet been publicly documented. Secondly, we\r\ndiscuss ThemeForestRAT, a RAT that has been in use for at least six years now, but has not yet been discussed publicly.\r\nThese two malware families were used in conjunction, where PondRAT was on disk and ThemeForestRAT seemed to only\r\nrun in memory.\r\nLastly, we briefly describe RemotePE, a more advanced RAT of this group. We found evidence that the actor cleaned up\r\nPondRAT and ThemeForestRAT artifacts and subsequently installed RemotePE, potentially signifying a next stage in the\r\nattack. We cannot directly link RemotePE to any public malware family at the time of this writing.\r\nIn all cases, the actor used social engineering as an initial access vector. In one case, we suspect a zero-day might have been\r\nused to achieve code execution on one of the victim’s machines. We think this highlights their advanced capabilities, and\r\nwith their history of activity, also shows their determination.\r\nA Telegram from Pyongyang\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 1 of 21\n\nIn 2024, Fox-IT investigated an incident at an organisation in decentralized finance (DeFi). There, an employee’s machine\r\nwas compromised through social engineering. From there, the actor performed discovery from inside the network using\r\ndifferent RATs in combination with other tools, for example, to harvest credentials or proxy connections. Afterwards, the\r\nactor moved to a stealthier RAT, likely signifying a next stage in the attack.\r\nIn Figure 1, we provide an overview of the attack chain, where we highlight four phases of the attack:\r\n1. Social engineering: the actor impersonates an existing employee of a trading company on Telegram and sets up a\r\nmeeting with the victim, using fake meeting websites.\r\n2. Exploitation: the victim machine gets compromised and shortly afterwards PondRAT is deployed. We are uncertain\r\nhow the compromise was achieved, though we suspect a Chrome zero-day vulnerability was used.\r\n3. Discovery: the actor uses various tooling to explore the victim network and observe daily activities.\r\n4. Next phase: after three months, the actor removes PerfhLoader, PondRAT and ThemeForestRAT and deploys a more\r\nadvanced RAT, which we named RemotePE.\r\nFigure 1: Overview of the attack chain from a 2024 incident response case involving a Lazarus subgroup\r\nWe found traces matching a social engineering technique previously described by SlowMist6. This social engineering\r\ncampaign targets employees of companies active in the cryptocurrency sector by posing as employees of investment\r\ninstitutions on Telegram.\r\nThis Lazarus subgroup uses fake Calendly and Picktime websites, including fake websites of the organisations they\r\nimpersonate. We found traces of two impersonated employees of two different companies. We did not observe any domains\r\nlinked to the “Access Restricted” trick as described by SlowMist. In Figure 2, you can see a Telegram message from the\r\nactor, impersonating an existing employee of a trading company. Looking up the impersonated person, showed that the\r\nperson indeed worked at the trading company.\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 2 of 21\n\nFigure 2: Lazarus subgroup impersonating an employee at a trading company interested in the\r\ncryptocurrency sector\r\nFrom the forensic data, we could not establish a clear initial access vector. We suspect a Chrome zero-day exploit was used.\r\nAlthough, we have no actual forensic data to back up this claim, we did notice changes in endpoint logging behaviour.\r\nAround the time of compromise, we noted a sudden decrease in the logging of the endpoint detection agent that was running\r\non the machine. Later, Microsoft published a blogpost7, describing Citrine Sleet using a zero-day Chrome exploit to launch\r\nan evasive rootkit called FudModule8, which could explain this behaviour.\r\nPersistence with PerfhLoader\r\nThe actor leveraged the SessionEnv service for persistence. This existing Windows service is vulnerable to phantom DLL\r\nloading9. A custom TSVIPSrv.dll can be placed inside the %SystemRoot%\\System32\\ directory, which SessionEnv will\r\nload upon startup. The actor placed its own loader in this directory, which we refer to as PerfhLoader. Persistence was\r\nensured by making the service start automatically at reboot using the following command:\r\nsc config sessionenv start=auto\r\nThe actor also modified the HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SessionEnv\\RequiredPrivileges\r\nregistry key by adding SeDebugPrivilege and SeLoadDriverPrivilege privileges. These elevated privileges enable\r\nloading kernel drivers, which can bypass or disable Endpoint Detection and Response (EDR) tools on the compromised\r\nsystem.\r\nFigure 3: PerfhLoader loaded through SessionEnv service via Phantom DLL Loading which in turn loads\r\nPondRAT or POOLRAT\r\nIn a case from 202010, this actor used the IKEEXT service for phantom DLL loading, writing PerfhLoader to the path\r\n%SystemRoot%\\System32\\wlbsctrl.dll . The vulnerable VIAGLT64.SYS kernel driver (CVE-2017-16237) was also used to\r\ngain SYSTEM privileges.\r\nPerfhLoader is a simple loader that reads a file with a hardcoded filename ( perfh011.dat ) from its current directory,\r\ndecrypts its contents, loads it into memory and executes it. In all observed cases, both PerfhLoader and the encrypted DLL\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 3 of 21\n\nwere in the %SystemRoot%\\System32\\ folder. Normally, perfhXXX.dat files located in this folder contain Windows\r\nPerformance Monitor data, which makes it blend in with normal Windows file names.\r\nThe cipher used to encrypt and decrypt the payload uses a rolling XOR key, we denote the implementation in Python code in\r\nListing 1.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\ndef crypt_buf(data: bytes) - \u003e bytes:\r\nxor_key = bytearray( range ( 0x10 ))\r\nbuf = bytearray(data)\r\nfor idx in range ( len (buf)):\r\na = xor_key[(idx + 5 ) \u0026 0xF ]\r\nb = xor_key[(idx - 3 ) \u0026 0xF ]\r\nc = xor_key[(idx - 7 ) \u0026 0xF ]\r\nxor_byte = a ^ b ^ c\r\nbuf[idx] ^ = xor_byte\r\nxor_key[idx \u0026 0xF ] = xor_byte\r\nreturn bytes(buf)\r\nListing 1: Python implementation of the XOR cipher used by PerfhLoader\r\nThe decrypted content contains a DLL that PerfhLoader loads into memory using the Manual-DLL-Loader project11.\r\nInterestingly, PondRAT uses this same project for DLL loading.\r\nDiscovery\r\nAfter establishing a foothold, the actor deployed various tools in combination with the RATs described earlier. These\r\nincluded both custom tooling and publicly available tools. Table 1 lists some of the tools we recovered that the actor used.\r\nTool\r\nTool\r\nOrigin\r\nDescription\r\nScreenshotter Actor A tool that takes periodic screenshots and stores them locally\r\nKeylogger Actor A Windows keylogger that writes user keystrokes to a file\r\nChromium browser\r\ndumper\r\nActor\r\nA browser dump tool that dumps Chromium-based browser\r\ncookies and credentials\r\nMidProxy Actor Proxy tool\r\nMimikatz12 Public Windows secrets dumper\r\nProxy Mini13 Public Proxy tool\r\nfrpc14 Public Fast reverse proxy client\r\nTable 1: Tools observed during incident response case (public and actor-developed)\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 4 of 21\n\nInterestingly, the Fast Reverse Proxy client we found was the same client found in the 3CX compromise by Mandiant15\r\n.\r\nThis client is version 0.32.116 and is from 2020, which is remarkable. We also found traces of a Themida-packed version of\r\nQuasar17, a malware family we did not see this Lazarus subgroup use before.\r\nThe actor used PondRAT in combination with ThemeForestRAT for roughly three months, to afterwards clean up and install\r\nthe more sophisticated RAT called RemotePE. We will now discuss these three RATs.\r\nPondRAT\r\nPondRAT is a simple RAT, which its authors seem to refer to as “firstloader”, based on the compilation metadata string\r\nobjc_firstloader that is present in the macOS samples.\r\nIn our case, PondRAT was the initial access payload used to deploy other types of malware, including ThemeForestRAT.\r\nJudging from network data, apart from ThemeForestRAT activity, we observed significant activity to the PondRAT C2\r\nserver, indicating it was not just used for its loader functionality. In the incident response case from 2020 we encountered\r\nPOOLRAT in combination with ThemeForestRAT. This could indicate that PondRAT is a successor of POOLRAT.\r\nOverview\r\nPondRAT is a straightforward RAT that allows an operator to read and write files, start processes and run shellcode. It has\r\nalready been described by some vendors. As far as we know, the earliest sample is from 2021, referenced in a CISA\r\narticle18. Based on PondRAT’s user-agent, we also noticed that PondRAT was used in an AppleJeus campaign Volexity\r\nwrote about19 (MSI file with hash 435c7b4fd5e1eaafcb5826a7e7c16a83 ). 360 Threat Intelligence Center wrote about\r\nPondRAT as well20, linking it to Lazarus and later writing about it being distributed through Python Package Index (PyPI)\r\npackages21. Vipyr Security wrote22 about malware that was dropped through malicious Python packages distributed through\r\nPyPI, which turned out to be PondRAT. Unit42 published an analysis23 of the RAT, referring to it as PondRAT and showing\r\nsimilarities between PondRAT and another RAT used by Lazarus: POOLRAT.\r\nAs described by Unit42, there are similarities between POOLRAT and PondRAT. There is overlap in function and class\r\nnaming and both families check for successful responses in a similar way.\r\nPOOLRAT has more functionality than PondRAT. For example, POOLRAT has a configuration file for C2 servers, can\r\ntimestomp24 files, can move files around, functionalities that PondRAT lacks. We think this is because there is no need for\r\nmore functionality if its main function is to load other malware, allowing for a smaller code base and less maintenance.\r\nCommand and Control\r\nPondRAT communicates over HTTP(S) with a hardcoded C2 server. Messages sent between the malware and the server are\r\nXOR-ed first and then Base64-encoded. For XORing it uses the hex-encoded key\r\n774C71664D5D25775478607E74555462773E525E18237947355228337F433A3B .\r\nFigure 4: PondRAT check-in request\r\nFigure 4 contains an example check-in request to the C2 server. The tuid parameter contains the bot ID, control\r\nindicates the request type, and the payload parameter contains the encrypted check-in information. In this case, control\r\nis set to fconn , indicating it is a bot check-in, matching with the corresponding function name FConnectProxy() . When\r\nreceiving a server reply starting with OK , PondRAT fetches a command from the server. For at least one Linux and macOS\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 5 of 21\n\nvariant, the parameter names and string values consisted of scrambled letters, e.g. lkjyhnmiop instead of tuid and\r\nodlsjdfhw instead of fconn .\r\nCommands\r\nPondRAT has basic commands, such as reading and writing files and executing programs. Table 2 lists all commands and\r\ntheir names from the symbol data. When a bot command is executed, the response includes both the original command ID\r\nand a status code indicating either success ( 0x89A ) or failure ( 0x89B ).\r\nCommand ID / Status code Symbol name Description\r\n0x892 csleep Sleep\r\n0x893 MsgDown Read file\r\n0x894 MsgUp Write file\r\n0x895 Ping\r\n0x896 Load PE from C2 in memory\r\n0x897 MsgRun Launch process\r\n0x898 MsgCmd Execute command through the shell\r\n0x899 Exit\r\n0x89a Status code indicating command succeeded\r\n0x89b Status code indicating command failed\r\n0x89c Run shellcode in process\r\nTable 2: PondRAT command IDs and their descriptions\r\nWindows\r\nOnly the Windows samples we analysed had support for commands 0x896 and 0x89C . The DLL loading functionality\r\nseems to be based on the open-source project “Manual-DLL-Loader”25. As a sidenote, we analysed another POOLRAT\r\nWindows sample that used the “SimplePELoader” project26.\r\nPOOLRAT’s Little Brother\r\nAs mentioned by Palo Alto’s Unit42, PondRAT has similarities with POOLRAT. There is overlap in XOR keys, function\r\nnaming and class naming. However, there are more similarities. Firstly, the Windows versions of PondRAT and POOLRAT\r\nuse the format string %sd.e%sc \"%s \u003e %s 2\u003e\u00261\" for launching a shell command. Format strings have been discussed in the\r\npast27 and this specific format string was linked to Operation Blockbuster Sequel. Furthermore, PondRAT has a peculiar\r\nway of generating its bot ID, see the decompiled code below.\r\nFigure 5: Bot ID generation for PondRAT (left) and POOLRAT (right)\r\nFigure 5 shows how PondRAT and POOLRAT compute their bot ID. For PondRAT, tuid is the bot ID. It computes two\r\nparts of a 32-bit integer, that are split in two based on the bit_shift variable. Some of the POOLRAT samples compute\r\nthe bot ID in a similar manner. The sample 6f2f61783a4a59449db4ba37211fa331 has symbol information available and\r\ncontains a function named GenerateSessionId() that has this same logic.\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 6 of 21\n\nMore similarities can be found as part of the C2 protocol. PondRAT provides feedback to commands issued by the C2 server\r\nby returning the command ID concatenated with the status code. POOLRAT uses the same concept, see Figure 6.\r\nFigure 6: Command status concatenation for PondRAT (left) and POOLRAT (right)\r\nAnother similarity can be found when comparing the Windows versions of POOLRAT and PondRAT. When running a Shell\r\ncommand (command ID 0x898 ) with PondRAT, the Windows version creates a temporary file with the prefix TLT in\r\nwhich it saves the command output. Then, it reads the file and sends the contents back to the C2 server and subsequently\r\nremoves it. However, the way it removes the temporary file is remarkable.\r\nIt generates a buffer with random bytes and overwrites the file contents with it. Then, it renames the file 27 times, replacing\r\nall letters with only A’s, then B’s, etc. and with the last iteration renames all letters with random uppercase letters. For\r\ninstance, when the file C:\\Windows\\Temp\\tlt1bd8.tmp is deleted, it would first be renamed to\r\nC:\\Windows\\Temp\\AAAAAAA.AAA , then to C:\\Windows\\Temp\\BBBBBBB.BBB , and lastly to something like VYLDVAP.XQA .\r\nPOOLRAT’s Windows version has the same functionality, see Figure 7.\r\nFigure 7: Windows file name generation for PondRAT (left) and POOLRAT (right)\r\nThese similarities show that apart from variable data and symbol names, PondRAT is similar to POOLRAT in coding\r\nconcepts as well. This further strengthens the connection between the two.\r\nSummary\r\nPondRAT is a simple RAT. Judging from the symbol data of macOS samples, its authors seem to refer to the malware as\r\nfirstloader , a RAT that targets all three major operating systems. In our case, we observed it in combination with social\r\nengineering campaigns, whereas others have seen PondRAT being dropped through malicious software packages. Despite\r\nbeing simple in nature, it seems to do the job, given the frequency in which it is used. Judging from past incidents we\r\ninvestigated, PondRAT is a successor of POOLRAT.\r\nRun, ThemeForest, Run!\r\nIn two incident response cases we found traces of a different RAT being used in conjunction with POOLRAT or PondRAT.\r\nWe named it ThemeForestRAT, based on the substring ThemeForest which it uses in its C2 protocol. It is written in C++\r\nand contains class names such as CServer , CJobManager , CSocketEx , CZipper and CUsbMan . ThemeForestRAT has\r\nmore functionalities compared to PondRAT and POOLRAT.\r\nIn an earlier incident response case in 2020, we observed ThemeForestRAT in combination with POOLRAT. In the case\r\nfrom 2024, we observed it together with PondRAT. Its continued activity over at least five years demonstrates that\r\nThemeForestRAT remains a relevant and capable tool for this actor. Besides Windows, we have observed Linux and macOS\r\nversions of the malware.\r\nWe believe that on Windows, this RAT is injected and executed in memory only, for example via PondRAT, or a dedicated\r\nloader, and is used as stealthier second-stage RAT with more functionality. The fact there are no direct samples of\r\nThemeForestRAT on VirusTotal indicates it is quite successful in staying under the radar.\r\nOverview\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 7 of 21\n\nOn startup, ThemeForestRAT attempts to read the configuration file from disk. When absent, it generates a unique bot ID\r\nand uses the hardcoded C2 configuration settings in the binary to create the configuration file.\r\nInterestingly, the Windows variant creates two Windows events and accompanying threads that are used for signalling\r\npurposes (see Figure 8). However, the first thread related to the class CUsbMan only creates the temporary directory\r\nZ802056 and returns, this turned out to be legacy code as we will describe later.\r\nThe second thread monitors for new Remote Desktop (RDP) sessions and notifies the main thread when one is detected.\r\nAdditionally, the thread checks for new physical console sessions and can optionally spawn extra commands under this\r\nsession if this is enabled in the configuration.\r\nFigure 8: ThemeForestRAT startup code creating two Windows events and threads for signalling\r\nAfter creating these two threads it hibernates before connecting to the C2 server. The default hibernation period is three\r\nminutes but when it runs for the first time it checks in immediately. There are two cases where ThemeForestRAT wakes up\r\nfrom hibernation, either the hibernation period has passed, or one of the two events is signalled.\r\nWhen it wakes up from hibernation it randomly selects a C2 server from its list and attempts to establish a connection. Upon\r\nreceiving a response:OK acknowledgment, it downloads a 4-byte file that must decrypt to the 32-bit constant 0x20191127\r\nto establish a valid C2 session. If this fails it will retry a different C2 and start over again, when the list of servers is\r\nexhausted it will go back into hibernation and try again later.\r\nIf it succeeds in establishing a C2 session, ThemeForestRAT sends basic system information including its wake-up reason to\r\nthe C2 server, and the operator can now interact with the RAT as it keeps polling for new commands. When the operator\r\nsends an OnTerminate or OnSleep command (see Table 4), the C2 session ends, and the RAT goes back to hibernation.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\nstruct SystemInfoWindows\r\n{\r\nuint32 job_id;\r\nwchar bot_id[20];\r\nwchar hostname[64];\r\nwchar whoami[50];\r\nuint32 dwMajorVersion;\r\nuint32 dwMinorVersion;\r\nuint32 dwPlatformId;\r\nuint16 padding1;\r\nwchar ip_address[20];\r\nwchar timezone[50];\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 8 of 21\n\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\nwchar gpu[50];\r\nwchar memory[50];\r\nuint16 padding2;\r\nuint32 wakeup_reason;\r\nwchar os_version[256];\r\n};\r\nstruct SystemInfoPOSIX\r\n{\r\nuint32 job_id;\r\nchar     bot_id[16];\r\nchar     unused1[24];\r\nchar     hostname[128];\r\nchar     username[114];\r\nchar     ip_address[40];\r\nchar     timezone[100];\r\nchar     arch[100];\r\nchar     memory[100];\r\nchar     unused2[6];\r\nchar     os_version[512];\r\n};\r\nListing 2: ThemeForestRAT system information structure that is sent after establishing a C2 session\r\nListing 2 shows the structure definitions that ThemeForestRAT uses for sending system information when establishing a C2\r\nsession. The job_id field indicates the OS type, 0x10005 for Windows, and 0x20005 for both Linux and macOS as they\r\nshare the same structure.\r\nConfiguration\r\nThe configuration file of ThemeForestRAT is encrypted with RC4 using the hex-encoded key 201A192D838F4853E300 and\r\ncontains the following settings:\r\n64-bit unique bot ID\r\nList of ten C2 server URLs\r\nCommand interpreter, for example cmd.exe (not used)\r\nList of optional commands to execute under the user of the active console session (Windows only, empty by default)\r\nMatching array to enable the optional console command\r\nLast check-in timestamp\r\nHibernation time between C2 sessions in minutes, default value is 3\r\nC2 callback settings, for example to immediately check in on a new active RDP connection\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 9 of 21\n\nThe configuration can be parsed using the C structure definition from Listing 3.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\nstruct ThemeForestC2Config\r\n{\r\nuint64 bot_id;\r\nwchar urls[10][1024];\r\nwchar shell[1024];\r\nwchar wts_console_cmdline[10][1024];\r\nchar     wts_console_cmdline_enabled[10];\r\nuint32 last_checkin_epoch;\r\nuint32 configured_hibernate_minutes;\r\nuint32 active_hibernate_minutes;\r\nuint16 callback_settings;\r\n};\r\nListing 3: ThemeForestRAT configuration structure definition for Windows\r\nThe configuration path that the RAT reads from disk is hardcoded. On macOS and Linux, this is an absolute path, while on\r\nWindows it looks in the current working directory where the RAT is launched. In Table 3 we list the observed configuration\r\npaths and hardcoded configuration file sizes for ThemeForestRAT.\r\nOperating system ThemeForestRAT configuration file on disk File size\r\nWindows netraid.inf 43048 bytes\r\nLinux /var/crash/cups 43044 bytes\r\nmacOS /private/etc/imap 43044 bytes\r\nTable 3: Observed ThemeForestRAT configuration paths and their file sizes on Windows, Linux and macOS\r\nCommand and Control\r\nThemeForestRAT communicates over HTTP(S). The filenames it uses for retrieving commands from the C2 server are\r\nprefixed with ThemeForest_ . The response data is sent back to the operator as a file prefixed with Thumb_ , see Figure 6.\r\nOn Windows it uses the Ryeol Http Client28 library for HTTP communications, and on macOS and Linux it uses libcurl.\r\nThemeForestRAT has a single hardcoded C2 in the binary, but its configuration can be updated by sending the SetInfo\r\ncommand.\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 10 of 21\n\nFigure 9: ThemeForestRAT sending encrypted system information to C2 server on initial check-in\r\nCommands\r\nIn terms of command functionality, ThemeForestRAT supports over twenty commands, at least twice as much as PondRAT.\r\nThe Linux and macOS versions contain debug symbols, which allows us to map the command IDs to function names where\r\navailable.\r\nSymbol name\r\nCommand\r\nID\r\nDescription\r\nListDrives 0x10001000 Get list of drives\r\nCServer::OnFileBrowse 0x10001001 Get directory listing\r\nCServer::OnFileCopy 0x10001002 Copy file from source to destination on victim machine\r\nCServer::OnFileDelete 0x10001003 Delete a file\r\nFileDeleteSecure 0x10001004 Delete a file securely\r\nCServer::OnFileUpload 0x10001005 Open a file for writing on victim machine\r\nCServer::FileDownload 0x10001006 Download file from victim machine\r\nRun 0x10001007 Execute a command and return the exit code\r\nCServer::OnChfTime 0x10001008 Timestomp file based on another file on disk\r\n– 0x10001009 –\r\nCServer::OnTestConn 0x1000100a Test TCP connection to host and port\r\nCServer::OnCmdRun 0x1000100b Run command in background and return output\r\nCServer::OnSleep 0x1000100c\r\nHibernate for X seconds, this will also be saved in the\r\nconfiguration file\r\nCServer::OnViewProcess 0x1000100d Get process listing\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 11 of 21\n\nSymbol name\r\nCommand\r\nID\r\nDescription\r\nCServer::OnKillProcess 0x1000100e Kill process by process ID\r\n– 0x1000100f –\r\nCServer::OnFileProperty 0x10001010 Get file properties\r\nCServer::OnGetInfo 0x10001011 Get current RAT configuration\r\nCServer::OnSetInfo 0x10001012 Update and save RAT configuration file\r\nCServer::OnZipDownload 0x10001013 Download a directory or file as a compressed Zip file\r\nCServer::OnTerminate 0x10001014\r\nFlush configuration to disk and hibernate until next wake\r\nup\r\n(Data) 0x10001015 Data\r\n(JobSuccess) 0x10001016 Job succeeded\r\n(JobFailed) 0x10001017 Job failed\r\nGetServiceName 0x10001018 Return current service name\r\nCleanupAndExit 0x10001019\r\nRemove persistence, configuration file, and terminate\r\nRAT\r\nRecvMsg 0x1000101a Force C2 check-in\r\nRunAs 0x1000101b\r\nSpawn a process under the user token of given Windows\r\nTerminal Services session\r\n– 0x1000101c –\r\nWriteRandomData 0x1000101d Write random data to file handle\r\nCServer::OnInjectShellcode 0x1000101e Inject shellcode into process ID\r\nTable 4: ThemeForestRAT command IDs and their descriptions\r\nNote that the symbol names in Table 4 that start with CServer:: are from the debug symbols and the other names are\r\ndeduced based on analysis of the command.\r\nShellcode Injection\r\nOn Windows, the CServer::OnInjectShellcode command injects shellcode into a given process ID using NtOpenProcess ,\r\nNtAllocateVirtualMemory , NtWriteVirtualMemory and RtlCreateUserThread Windows API calls. The shellcode is\r\nencrypted using the same algorithm used in PerfhLoader (see Listing 1). In the macOS and Linux samples we have\r\nanalysed, this command is defined as an empty stub.\r\nRomeoGolf’s Little Brother\r\nIn 2016, Novetta released a detailed report called Operation Blockbuster29, in which a Novetta-led coalition of security\r\ncompanies analysed malware samples from multiple cybersecurity incidents. The investigation linked the 2014 Sony\r\nPictures attack to the Lazarus Group and revealed that the same actor had been behind numerous other attacks against\r\ngovernment, military, and commercial targets using related malware since 2009.\r\nOperation Blockbuster’s malware report describes RomeoGolf, a RAT that resembles ThemeForestRAT in several ways:\r\nUses the temporary folder Z802056 , although not used in ThemeForestRAT, is still created\r\nOverlapping command IDs and functionality\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 12 of 21\n\nSame unique identifier generation using 4 calls to rand()\r\nConfiguration file with extension *.inf on Windows\r\nTimestomping of the configuration file based on mspaint.exe\r\nTwo signalling threads for USB and RDP events\r\nFigure 10 shows the RomeoGolf startup logic for generating its bot ID and two signalling threads that is identical to\r\nThemeForestRAT (see Figure 5).\r\nFigure 10: RomeoGolf startup creates two signalling threads, comparable to ThemeForestRAT (see Figure 5).\r\nAs can be seen in Table 5, the functionality to detect and copy data from newly attached logical drives has been removed in\r\nThemeForestRAT, while leaving the temporary directory creation intact. Also, the thread to check for new RDP sessions has\r\nbeen extended in ThemeForestRAT to optionally spawn up to ten extra configured commands under the user of the active\r\nphysical console session.\r\nRomeoGolf ThemeForestRAT\r\nCompilation date Fri Oct 11 01:20:48 2013 Thu Sep 07 06:40:40 2023\r\nKnown configuration\r\nfile\r\ncrkdf32.inf netraid.inf\r\nConfiguration file\r\ntimestomped to\r\nmspaint.exe mspaint.exe\r\nUSB thread logic\r\n1. Creates %TEMP%\\Z802056\r\n2. Checks for newly attached\r\ndrives and copies data to above\r\nfolder\r\n3. Signal on newly attached drives\r\n1. Creates %TEMP%\\Z802056\r\nRDP thread logic\r\n1. Signal on new active RDP\r\nsessions\r\n1. Start configured commands under the\r\nuser of the new active console session\r\n2. Signal on new active RDP session if\r\nconfigured\r\nC2 communication Fake TLS HTTP(S)\r\nHighest known\r\ncommand id\r\n0x10001013 0x1000101e\r\nTable 5: Differences and similarities between RomeoGolf and ThemeForestRAT\r\nWhile RomeoGolf used Fake TLS30 and its own custom server for its C2 communications, ThemeForestRAT uses the HTTP\r\nprotocol and shared hosting for its C2 servers.\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 13 of 21\n\nOnto the next stage with RemotePE\r\nIn the 2024 incident response case, we observed the actor cleaning up PondRAT and ThemeForestRAT, to deploy a more\r\nadvanced RAT, which we named RemotePE. RemotePE is retrieved from a C2 server by RemotePELoader.\r\nRemotePELoader is encrypted on disk using Window’s Data Protection API (DPAPI) and is loaded by DPAPILoader. Using\r\nDPAPI enables environmental keying and makes it difficult to recover the original payload without access to the machine.\r\nDPAPILoader was made persistent through a created Windows service.\r\nFigure 10: RemotePELoader check-in request to retrieve RemotePE payload\r\nIn Figure 10, we show a RemotePELoader check-in request used to retrieve RemotePE from the C2 server. RemotePE is\r\nwritten in C++ and is more advanced and elegant. We think that the actor uses this more sophisticated RAT for interesting or\r\nhigh-value targets that require a higher degree of operational security. Interestingly, it too uses the file renaming strategy\r\nPondRAT and POOLRAT Windows samples implement, except it skips the last random iteration.\r\nWe will publish a more thorough analysis of RemotePE in a future blogpost.\r\nSummary\r\nThis blog is about a Lazarus subgroup that we have encountered multiple times during incident response engagements. This\r\nis a capable, patient, financially motivated actor who remains a legitimate threat.\r\nWe first discussed an incident response case from 2024, where this actor impersonated employees of trading companies to\r\nestablish contact with potential victims. Though the method of achieving initial access remains unknown, we suspect a\r\nChrome zero-day was used.\r\nAfter initial access, two RATs were used in combination: PondRAT and ThemeForestRAT. Though PondRAT has already\r\nbeen discussed, there are no public analyses of ThemeForestRAT at the time of writing. For persistence, phantom DLL\r\nloading was used in conjunction with a custom loader called PerfhLoader.\r\nPondRAT is a primitive RAT that provides little flexibility, however, as an initial payload it achieves its purpose. It has\r\nsimilarities with POOLRAT/SimpleTea. For more complex tasks, the actor uses ThemeForestRAT, which has more\r\nfunctionality and stays under the radar as it is loaded into memory only.\r\nLastly, we found the actor replaced ThemeForestRAT and PondRAT with the more advanced RemotePE. A detailed analysis\r\nof RemotePE will be published in the near future. So, stay tuned!\r\nIn Table 6 and 7, we list indicators of compromise related to the incident response cases we investigated and other artifacts\r\nwe link to this actor.\r\nIncident Response Support\r\nIf you have any questions or need assistance based on these findings, please contact Fox-IT CERT at cert@fox-it.com. For\r\nurgent matters, call 0800-FOXCERT (0800-3692378) within the Netherlands, or +31152847999 internationally to reach one\r\nof our incident responders.\r\nIndicators of Compromise\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 14 of 21\n\nType Indicator Comment\r\nnet.domain calendly[.]live Fake calendly.com\r\nnet.domain picktime[.]live Fake picktime.com\r\nnet.domain oncehub[.]co Fake oncehub.com\r\nnet.domain go.oncehub[.]co Fake oncehub.com\r\nnet.domain dpkgrepo[.]com\r\nPotentially related to Chrome\r\nexploitation\r\nnet.domain pypilibrary[.]com\r\nUnknown, visited by msiexec.exe shortly\r\nafter dpkgrepo[.]com\r\nnet.domain pypistorage[.]com\r\nUnknown, connection seen under\r\nSessionEnv service\r\nnet.domain keondigital[.]com\r\nLPEClient server, connection seen under\r\nSessionEnv service\r\nnet.domain arcashop[.]org PondRAT C2\r\nnet.domain jdkgradle[.]com PondRAT C2\r\nnet.domain latamics[.]org PondRAT C2\r\nnet.domain lmaxtrd[.]com ThemeForestRAT C2\r\nnet.domain paxosfuture[.]com ThemeForestRAT C2\r\nnet.domain www[.]plexisco[.]com ThemeForestRAT C2\r\nnet.domain ftxstock[.]com ThemeForestRAT C2\r\nnet.domain www[.]natefi[.]org ThemeForestRAT C2\r\nnet.domain nansenpro[.]com ThemeForestRAT C2\r\nnet.domain aes-secure[.]net RemotePE payload delivery and C2\r\nnet.domain azureglobalaccelerator[.]com RemotePE payload delivery and C2\r\nnet.domain azuredeploypackages[.]net\r\nUnknown, connection seen via injected\r\nprocess\r\nnet.ip 144.172.74[.]120 Fast Reverse Proxy server\r\nnet.ip 192.52.166[.]253 Used as parameter for Quasar\r\nfile.path %TEMP%\\tmpntl.dat Windows keylogger output file path\r\nfile.path C:\\Windows\\Temp\\TMP01.dat Windows keylogger error file path\r\nfile.name netraid.inf\r\nThemeForestRAT Windows\r\nconfiguration filename\r\nfile.path /var/crash/cups\r\nThemeForestRAT Linux configuration\r\nfile path\r\nfile.path /private/etc/imap\r\nThemeForestRAT macOS configuration\r\nfile path\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 15 of 21\n\nType Indicator Comment\r\nfile.path /private/etc/krb5d.conf\r\nPOOLRAT macOS configuration file\r\npath, CISA 2021 report\r\nfile.path /etc/apdl.cf POOLRAT Linux configuration file path\r\nfile.path %SystemRoot%\\system32\\apdl.cf\r\nPOOLRAT Windows configuration file\r\npath\r\nfile.path /tmp/xweb_log.md\r\nPOOLRAT, PondRAT Linux libcurl error\r\nlog file path\r\nfile.name perfh011.dat\r\nEncrypted payload loaded by\r\nPerfhLoader\r\nfile.name hsu.dat\r\nFilename actor used for SysInternals\r\nADExplorer output\r\nfile.name pfu.dat\r\nFilename actor used for SysInternals\r\nHandle viewer output\r\nfile.name fpc.dat\r\nDropped Fast Reverse Proxy\r\nconfiguration filename\r\nfile.name fp.exe Dropped Fast Reverse Proxy executable\r\nfile.name tsvipsrv.dll\r\nDLL phantom loaded by actor\r\n(SessionEnv)\r\nfile.name wlbsctrl.dll DLL phantom loaded by actor (IKEEXT)\r\nfile.name adepfx.exe\r\nFilename actor used for legitimate\r\nSysInternals ADExplorer\r\nfile.name hd.exe\r\nFilename actor used for legitimate\r\nSysInternals Nthandle.exe\r\nfile.name msnprt.exe\r\nFilename actor uses for Proxymini, open-source socks proxy\r\nfile.path %LocalAppData%\\IconCache.log\r\nOutput path for custom browser\r\ncredentials and cookies dumper based on\r\nMimikatz\r\nfile.path /private/etc/pdpaste macOS keylogger file path\r\nfile.path /private/etc/xmem macOS keylogger output file path\r\nfile.path /private/etc/tls3 macOS screenshotter output directory\r\nfile.path %LocalAppData%\\Microsoft\\Software\\Cache Windows screenshotter output directory\r\nfile.path c:\\windows\\system32\\cmui.exe Themida-packed Quasar\r\nTable 6: Indicators of Compromise linked to actor, without hashes\r\ndigest.sha256 Comment\r\n24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a\r\nFast Reverse Proxy\r\nv0.32.1, also observed\r\nby Mandiant in the 3CX\r\nsupply chain attack\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 16 of 21\n\ndigest.sha256 Comment\r\n4715e5522fc91a423a5fcad397b571c5654dc0c4202459fdca06841eba1ae9b3 PerfhLoader\r\n8c3c8f24dc0c1d165f14e5a622a1817af4336904a3aabeedee3095098192d91f PerfhLoader\r\nf4d8e1a687e7f7336162d3caed9b25d9d3e6cfe75c89495f75a92ca87025374b POOLRAT Windows\r\n85045d9898d28c9cdc4ed0ca5d76eceb457d741c5ca84bb753dde1bea980b516 POOLRAT Linux\r\n5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8\r\nPOOLRAT macOS\r\n(CISA 2021 report)\r\nc66ba5c68ba12eaf045ed415dfa72ec5d7174970e91b45fda9ebb32e0a37784a\r\nThemeForestRAT\r\nWindows\r\nff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9 ThemeForestRAT Linux\r\ncc4c18fefb61ec5b3c69c31beaa07a4918e0b0184cb43447f672f62134eb402b\r\nThemeForestRAT\r\nmacOS\r\n6510d460395ca3643133817b40d9df4fa0d9dbe8e60b514fdc2d4e26b567dfbd PondRAT Windows\r\n973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c PondRAT Linux\r\nf0321c93c93fa162855f8ea4356628eef7f528449204f42fbfa002955a0ba528 PondRAT macOS\r\n4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874 DPAPILoader\r\naa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039 DPAPILoader\r\n159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3 DPAPILoader\r\n7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68\r\nRemotePELoader\r\n(decrypted from disk)\r\n37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef RemotePE\r\n59a651dfce580d28d17b2f716878a8eff8d20152b364cf873111451a55b7224d Windows keylogger\r\n3c8f5cc608e3a4a755fe1a2b099154153fb7a88e581f3b122777da399e698cca Windows screenshotter\r\nd998de6e40637188ccbb8ab4a27a1e76f392cb23df5a6a242ab9df8ee4ab3936\r\nmacOS keylogger\r\n(getkey)\r\ne4ce73b4dbbd360a17f482abcae2d479bc95ea546d67ec257785fa51872b2e3f\r\nmacOS screenshotter\r\n(getscreen)\r\n1a051e4a3b62cd2d4f175fb443f5172da0b40af27c5d1ffae21fde13536dd3e1\r\nmacOS clipboard logger\r\n(pdpaste)\r\n9dddf5a1d32e3ba7cc27f1006a843bfd4bc34fa8a149bcc522f27bda8e95db14\r\nProxymini tool,\r\nopensource SOCKS\r\nproxy tool\r\n2c164237de4d5904a66c71843529e37cea5418cdcbc993278329806d97a336a5 Themida-packed Quasar\r\nTable 7: SHA256 hashes of tools used by the actor\r\nYARA rules\r\n1\r\n2\r\nimport \"pe\"\r\nrule Lazarus_DPAPILoader_Hunting {\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 17 of 21\n\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\nmeta:\r\ndescription = \"Hunting rule to detect DPAPILoader, a loader used to load RemotePE.\"\r\nauthor = \"Fox-IT / NCC Group\"\r\nstrings:\r\n$msg_1 = \"[!] Could not allocate memory at the desired base!\\n\"\r\n$msg_2 = \"[!] Virtual section size is out ouf bounds: \"\r\n$msg_3 = \"[!] Invalid relocDir pointer\\n\"\r\n$msg_4 = \"[-] Not supported relocations format at %d: %d\\n\"\r\n$msg_5 = \"[!] Cannot fill imports into 32 bit PE via 64 bit loader!\\n\"\r\ncondition:\r\nany of them and pe.imports( \"Crypt32.dll\" , \"CryptUnprotectData\" )\r\n}\r\nrule Lazarus_RemotePE_C2_strings {\r\nmeta:\r\ndescription = \"RemotePE strings used for C2.\"\r\nauthor = \"Fox-IT / NCC Group\"\r\nstrings:\r\n$a = \"MicrosoftApplicationsTelemetryDeviceId\" wide ascii xor\r\n$b = \"armAuthorization\" wide ascii xor\r\n$c = \"ai_session\" wide ascii xor\r\ncondition:\r\nuint16(0) == 0x5A4D and all of them\r\n}\r\nrule Lazarus_RemotePE_class_strings {\r\nmeta:\r\ndescription = \"RemotePE class strings.\"\r\nauthor = \"Fox-IT / NCC Group\"\r\nstrings:\r\n$a = \"IMiddleController\" ascii wide xor\r\n$b = \"IChannelController\" ascii wide xor\r\n$c = \"IConfigProfile\" ascii wide xor\r\n$d = \"IKernelModule\" ascii wide xor\r\ncondition:\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 18 of 21\n\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\nall of them\r\n}\r\nrule Lazarus_PerfhLoader_XOR_key {\r\nmeta:\r\ndescription = \"XOR key used for shellcode obfuscation.\"\r\nauthor = \"Fox-IT / NCC Group\"\r\nstrings:\r\n$mov_1 = { C7 [1-3] 00 01 02 03 }\r\n$mov_2 = { C7 [1-3] 04 05 06 07 }\r\n$mov_3 = { C7 [1-3] 08 09 0A 0B }\r\n$mov_4 = { C7 [1-3] 0C 0D 0E 0F }\r\n$init_1 = { 41 8D ?? FD 41 8D ?? F9 }\r\ncondition:\r\nall of them\r\n}\r\nrule Lazarus_ThemeForestRAT_C2_strings {\r\nmeta:\r\ndescription = \"ThemeForestRAT strings used for C2.\"\r\nauthor = \"Fox-IT / NCC Group\"\r\nstrings:\r\n$themeforest = \"ThemeForest_%s\" ascii wide\r\n$thumb = \"Thumb_%s\" ascii wide\r\n$param_code = \"code\" ascii wide\r\n$param_fn = \"fn\" ascii wide\r\n$param_ldf = \"ldf\" ascii wide\r\ncondition:\r\nall of them\r\n}\r\nrule Lazarus_ThemeForestRAT_RC4_key {\r\nmeta:\r\ndescription = \"ThemeForest RC4 key used for config file.\"\r\nauthor = \"Fox-IT / NCC Group\"\r\nstrings:\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 19 of 21\n\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n$rc4_key = { 20 1A 19 2D 83 8F 48 53 E3 00 }\r\n$rc4_key_mov = { 20 1A 19 2D [2-8] 83 8F 48 53 [2-10] E3 00 }\r\ncondition:\r\nany of them\r\n}\r\nReferences\r\n1. https://securelist.com/operation-applejeus/87553/ ↩︎\r\n2. https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/ ↩︎\r\n3. https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise ↩︎\r\n4. https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/ ↩︎\r\n5. https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/ ↩︎\r\n6. https://slowmist.medium.com/analysis-of-north-korean-hackers-targeted-phishing-scams-on-telegram-872db3f7392b\r\n↩︎\r\n7. https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/ ↩︎\r\n8. https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/ ↩︎\r\n9. https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 ↩︎\r\n10. https://www.nccgroup.com/us/how-the-lazarus-group-targets-fintech/ ↩︎\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 20 of 21\n\n11. https://github.com/adamhlt/Manual-DLL-Loader ↩︎\r\n12. https://github.com/ParrotSec/mimikatz ↩︎\r\n13. https://aluigi.altervista.org/mytoolz.htm ↩︎\r\n14. https://github.com/fatedier/frp ↩︎\r\n15. https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise ↩︎\r\n16. https://github.com/fatedier/frp/releases/tag/v0.32.1 ↩︎\r\n17. https://github.com/quasar/Quasar/releases/tag/v1.3.0.0 ↩︎\r\n18. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a ↩︎\r\n19. https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/ ↩︎\r\n20. https://c.m.163.com/news/a/HQVV9MTS0538B1YX.html ↩︎\r\n21. https://mp.weixin.qq.com/s?\r\n__biz=MzUyMjk4NzExMA%3D%3D\u0026mid=2247499462\u0026idx=1\u0026sn=7cc55f3cc2740e8818648efbec21615f ↩︎\r\n22. https://vipyrsec.com/research/elf64-rat-malware/ ↩︎\r\n23. https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/ ↩︎\r\n24. https://attack.mitre.org/techniques/T1070/006/ ↩︎\r\n25. https://github.com/adamhlt/Manual-DLL-Loader ↩︎\r\n26. https://github.com/nettitude/SimplePELoader/ ↩︎\r\n27. https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/ ↩︎\r\n28. https://www.codeproject.com/Articles/7828/CHttpClient-A-Helper-Class-Using-WinInet ↩︎\r\n29. https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.02.24.Operation_Blockbuster\r\nBlockbuster-RAT-and-Staging-Report.pdf ↩︎\r\n30. https://attack.mitre.org/techniques/T1001/003/ ↩︎\r\nSource: https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nhttps://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/#7ad29534-c69c-41ce-ae8e-99c32f0d11b3" ], "report_names": [ "#7ad29534-c69c-41ce-ae8e-99c32f0d11b3" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434241, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63bf461a96459ff4787809998f79d381e2fa5bcb.pdf", "text": "https://archive.orkl.eu/63bf461a96459ff4787809998f79d381e2fa5bcb.txt", "img": "https://archive.orkl.eu/63bf461a96459ff4787809998f79d381e2fa5bcb.jpg" } }