The North Korea-linked threat actor known as the Lazarus Group has been attributed to a social engineering campaign that distributes three different pieces of cross-platform malware called PondRAT, ThemeForestRAT, and RemotePE.

The attack, observed by NCC Group's Fox-IT in 2024, targeted an organization in the decentralized finance (DeFi) sector, ultimately leading to the compromise of an employee's system.

"From there, the actor performed discovery from inside the network using different RATs in combination with other tools, for example, to harvest credentials or proxy connections," Yun Zheng Hu and Mick Koomen said . "Afterwards, the actor moved to a stealthier RAT, likely signifying a next stage in the attack."

The attack chain begins with the threat actor impersonating an existing

See Full Page