VERY IMPORTANT

This report analyzes three remote access trojans (RATs) used by a Lazarus subgroup targeting financial and cryptocurrency organizations. The RATs, named PondRAT, ThemeForestRAT, and RemotePE, were observed during incident response cases. PondRAT is a simple RAT used as an initial payload, while ThemeForestRAT offers more functionality and operates in-memory. RemotePE is a more advanced RAT deployed in later attack stages. The actor uses social engineering for initial access and employs various tools for network discovery. The report details the RATs' capabilities, command and control mechanisms, and similarities to previously known malware families. It highlights the actor's persistent threat and evolving tactics in targeting high-value financial targets.