Lazarus Group Uses PondRAT, ThemeForestRAT and RemotePE in Social‑Engineering Strike on DeFi Organization

Summary of the observed campaign

Security researchers at NCC Group’s Fox‑IT observed a social‑engineering campaign in 2024 that has been attributed to the North Korea‑linked actor known as the Lazarus Group. The campaign distributed three distinct pieces of cross‑platform malware — named PondRAT, ThemeForestRAT and RemotePE — against an organization operating in the decentralized finance (DeFi) sector. Reporting indicates the operation targeted personnel through deception and resulted in a successful compromise of the organization under attack.

Background and why this matters

Lazarus Group has long been associated with both state‑level espionage and financially motivated cyber operations. Over the past decade this actor set a pattern of using malware, social engineering and supply‑chain techniques to pursue strategic and revenue‑generating objectives. High‑profile incidents historically linked to Lazarus include large ransomware campaigns and a series of cryptocurrency thefts that targeted exchanges and cross‑chain bridges. The group’s continued activity against DeFi firms underscores several persistent trends:

• DeFi platforms hold direct access to cryptographic assets with irreversible transaction models, making them attractive targets for monetization-focused actors.
• Attackers increasingly use social engineering to bypass technical controls by targeting human users who have privileged access to keys, administration consoles or deployment pipelines.
• Cross‑platform tooling allows adversaries to operate flexibly across environments (development machines, build servers, cloud instances and desktops), increasing the blast radius of a single successful intrusion.

Technical implications and practitioner analysis

The campaign’s use of three separate RAT families indicates a multi‑tool approach that can serve several operational needs: initial access via social engineering, command and control for interactive persistence, and tooling for lateral movement and data exfiltration. While detailed technical indicators for PondRAT, ThemeForestRAT and RemotePE were reported by Fox‑IT, the broader operational lessons for defenders are clear:

• Social engineering remains a primary vector. Phishing and targeted lures continue to be effective against staff with privileged access.
• Cross‑platform malware complicates containment. Detection capabilities must span endpoints, developer systems and cloud workloads.
• Multiple distinct implants in the same incident suggest the actor stages capabilities — using one tool for reconnaissance and account harvest and another for sustained remote control or data staging.

Analysis: Organisations should assume sophisticated threat actors will chain social engineering with bespoke tooling. Effective defense requires aligning detection across identity, endpoints, build systems and cloud telemetry, and preparing incident response plans that preserve forensic evidence while minimizing asset exposure.

Comparable cases and historical context

The observed campaign aligns with a known pattern: Lazarus and associated North Korea‑linked groups have targeted financial infrastructure and cryptocurrency ecosystems to generate revenue and move funds outside traditional banking controls. Examples widely reported in open sources include large‑scale ransomware events and notable cryptocurrency bridge and exchange compromises in recent years. Those incidents demonstrate several enduring risks for financial and DeFi sectors:

• Attackers often seek to capture signing material, hot wallet credentials, private keys or administrative access that allows them to execute irreversible transfers.
• Bridges and smart‑contract ecosystems with complex trust models have been repeatedly exploited when an adversary gains sufficient access to sensitive credentials or deployment pipelines.
• Supply‑chain and third‑party compromise continues to be an enabling factor for wide distribution of malicious code.

Risks, operational implications and recommended mitigations

For organizations in DeFi and related financial technology sectors, the combination of social engineering and cross‑platform remote access tools presents several concrete risks: theft of funds, long‑term persistence enabling future intrusions, theft of intellectual property and reputational damage. Practical, prioritized mitigations for security teams and executives include:

• Harden identity and privileged access:
  • Enforce MFA for all administrative and deployment interfaces; prefer hardware MFA (FIDO2) where possible.
  • Apply least‑privilege principles and just‑in‑time access for sensitive roles to reduce standing permissions.
• Segregate and protect key material:
  • Move high‑value signing keys and hot wallets to hardware security modules (HSMs) or dedicated key‑management services where signing can be performed without exporting keys.
  • Adopt multi‑signature (multi‑sig) schemes and transaction approval workflows that require independent human verification for large transfers.
• Improve detection across environments:
  • Deploy EDR/EDR‑style sensors on developer workstations, build hosts and cloud instances; tune for anomalous process behavior and command‑and‑control patterns.
  • Monitor for unusual outbound connections, spikes in data egress and unexpected process child‑creation activity from developer tooling or CI runners.
• Secure software supply chains:
  • Harden CI/CD pipelines: require artifact signing, reproduceable builds, and restrict which accounts can publish or deploy code.
  • Vet and monitor third‑party dependencies and maintain a software bill of materials (SBOM) for critical components.
• Prepare and practice incident response:
  • Maintain playbooks that cover credential theft, wallet compromise and smart contract rollback options where available.
  • Perform tabletop exercises with legal, communications and executive teams to ensure rapid, coordinated response when funds or keys are at risk.

Detection, forensics and information sharing

When dealing with suspected Lazarus‑style activity, immediate priorities are containment, preservation of forensic evidence and coordinated disclosure. Practical steps include:

• Isolate affected hosts and preserve memory and disk images for analysis.
• Collect and correlate logs from endpoints, identity providers, CI/CD systems and cloud platforms to reconstruct the chain of events.
• Share findings and indicators with trusted industry threat‑intelligence communities and, where appropriate, law enforcement partners—particularly if funds were exfiltrated or cross‑chain transfers were observed.

Conclusion

The Fox‑IT observation that a Lazarus‑attributed campaign used PondRAT, ThemeForestRAT and RemotePE against a DeFi organization reinforces two enduring truths: adversaries continue to combine social engineering with flexible tooling to target financial assets, and DeFi environments remain high‑value targets because of the direct access to irreversible funds. Organizations should prioritize identity hardening, key custody controls, supply‑chain hygiene, and broad telemetry collection across dev, endpoint and cloud environments. Preparing and exercising an incident response plan that addresses credential compromise and fund‑recovery scenarios is essential to limit impact when sophisticated actors engage.

Source: thehackernews.com