A sophisticated Lazarus subgroup is targeting financial and crypto organizations with a three-stage malware attack that may exploit a Chrome zero-day vulnerability. The hackers pose as legitimate trading firm employees on Telegram, luring victims to fake meeting sites like counterfeit Calendly portals.
Once compromised, attackers deploy PondRAT as an initial loader, followed by the memory-resident ThemeForestRAT for stealth operations. After months of reconnaissance, they install RemotePE RAT for long-term access. The malware enables file manipulation, credential theft, and secure data exfiltration.
DeFi organizations have reported significant disruptions from these hidden backdoors. The attack chain uses advanced techniques including phantom DLL hijacking and rolling XOR encryption to evade detection, catching many security teams off guard despite known Lazarus activity.
Source: Cybersecurity News