← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC — Three Lazarus RATs coming for your cheese
WHITE celestre 2025-09-03 Modified: 2025-10-03
60
IOCs
HIGH VOLUME
In the past few years, Fox-IT and NCC Group have conducted multiple incident response cases involving a Lazarus subgroup that specifically targets organizations in the financial and cryptocurrency sector. This Lazarus subgroup overlaps with activity linked to AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces. This actor uses different remote access trojans (RATs) in their operations, known as PondRAT5, ThemeForestRAT and RemotePE. In this article, we analyse and discuss these three.
filename actorfast reverseunknownpondrat c2cisapondrat linuxdll phantomlocalappdatadpapiloaderproxy servercommentquasar
Indicators of Compromise (7 / 60 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 19dbffec4e359a198daf4ffca1ab9165 MD5 of 24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a 2025-09-03
FileHash-MD5 23c2569a65870a9e412d98d5b3bdc554 MD5 of 159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3 2025-09-03
FileHash-MD5 33c9a47debdb07824c6c51e13740bdfe MD5 of 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c 2025-09-03
FileHash-MD5 451c23709ecd5a8461ad060f6346930c MD5 of 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8 2025-09-03
FileHash-MD5 75a46b23825ce7aa4ca297d93450f4e2 MD5 of aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039 2025-09-03
FileHash-MD5 893fed20a939e613f2b108096573eb8b MD5 of 9dddf5a1d32e3ba7cc27f1006a843bfd4bc34fa8a149bcc522f27bda8e95db14 2025-09-03
FileHash-MD5 d3ee425502cb60db1e75ef5bfd232c72 MD5 of 8c3c8f24dc0c1d165f14e5a622a1817af4336904a3aabeedee3095098192d91f 2025-09-03
References (1)
↗ https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/