← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Three Lazarus RATs coming for your cheese
WHITE Lazarus AlienVault 2025-09-03 Modified: 2025-10-03
136
IOCs
HIGH VOLUME
This report analyzes three remote access trojans (RATs) used by a Lazarus subgroup targeting financial and cryptocurrency organizations: PondRAT, ThemeForestRAT, and RemotePE. It details an incident response case from 2024 involving social engineering and possible zero-day exploitation. PondRAT is described as a simple initial access tool, while ThemeForestRAT is a more capable memory-only RAT used in conjunction. RemotePE appears to be an advanced RAT deployed in later attack stages. The analysis reveals connections between these tools and previously known Lazarus malware like POOLRAT. The report highlights the actor's persistence, sophistication, and continued threat to financial targets.
financialratthemeforestratzero-dayremotepepoolratpondratcryptocurrencysocial engineering
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (136)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0d451cd700544d333763089c64fb1f0a 2025-09-03
FileHash-MD5 0d714435e4c4c1f0e7fe20695734e513 2025-09-03
FileHash-MD5 0df2a1f2991d138d60ba0eb2bb77f373 2025-09-03
FileHash-MD5 1410b6bb5e2cf775660fb144528675cc 2025-09-03
FileHash-MD5 2cd0404b633b13979b3a33d631693ba9 2025-09-03
FileHash-MD5 32989b09ebb355f99894622d3af272a0 2025-09-03
FileHash-MD5 52a825b84e1318a3e50d065f78643689 2025-09-03
FileHash-MD5 93ed4656891d36a5b8499e139ba75ab6 2025-09-03
FileHash-MD5 99c4f15a0e46b6c778e336d4aaf6e2dc 2025-09-03
FileHash-MD5 a4ba7c5ed23fe7e9f05a2049383470f3 2025-09-03
FileHash-MD5 a8016f7810cb347c747f46875729f63c 2025-09-03
FileHash-MD5 bcf71bd7ff3af7139e735269008fb9ec 2025-09-03
FileHash-MD5 be3e2c20ff42451b02fc9ad2fce47dff 2025-09-03
FileHash-MD5 c9de787a91c1bc88149bc1349ec80ba8 2025-09-03
FileHash-MD5 d70ab881f617cae03dc7bcc4d0cfc524 2025-09-03
FileHash-MD5 ead0e113b1cfd2929e58dc37f3ae1a49 2025-09-03
FileHash-MD5 f8d23ab58295c2f4474d2bd92606a20d 2025-09-03
FileHash-SHA1 10a1f4044598353720f4f01e7bafc4f8f044bf36 2025-09-03
FileHash-SHA1 1cdd6fbe0c9eff2945d77e444a3dfa884ad1ba08 2025-09-03
FileHash-SHA1 26ca39ac11d97d42edf7797f0f0d83a376a377b4 2025-09-03
FileHash-SHA1 50c6198406a36252b447cdffad873609363bd081 2025-09-03
FileHash-SHA1 727f7347392ac54105c7ac725636ddf3188599ef 2025-09-03
FileHash-SHA1 729b3b62189c4f2fab99c1f79081928e5117c94b 2025-09-03
FileHash-SHA1 756153f386c7edae7a45b77d7368bfbbf060eddf 2025-09-03
FileHash-SHA1 775760853738f73c94a1df7f59a1ef5001414437 2025-09-03
FileHash-SHA1 7b78669c934a1d9ad3743abf4ceeb6c1139e706f 2025-09-03
FileHash-SHA1 92c26878c11b89e20a611ee5141ee43644f8ec39 2025-09-03
FileHash-SHA1 b058e9eda6f102404f4964671191ddc268501ae2 2025-09-03
FileHash-SHA1 b334a05f7be86c5b33f03d58217b4fadf50b3f0c 2025-09-03
FileHash-SHA1 c10ea26dd644c6dd68c3d9e9f8dc505c8bdd8b52 2025-09-03
FileHash-SHA1 cb818be1fce5393a83fbfcb3b6f4ac5a3b5b8a4b 2025-09-03
FileHash-SHA1 e546202ab7b709d8364f14b5383a56aaa523e4d9 2025-09-03
FileHash-SHA1 e6cdd67a2e951d53e8fd01d3f58f3ca870204d32 2025-09-03
FileHash-SHA1 ecd09b3d0d04f0cb50d9405b3cff832bfb55de3c 2025-09-03
FileHash-SHA1 fcc423afee99033bf05651f3e1b9b5acb02a258c 2025-09-03
FileHash-SHA256 1200c02da0d6505a841f140f6d1947f1ae43a13664ec65b356b273c75f42713b 2025-09-03
FileHash-SHA256 191e14e54cae4b33c077065b782a7161f0fd807a550a98fd1dac2db2b622c94c 2025-09-03
FileHash-SHA256 1b78ffb5e6a6e3a98baf433d1932d8b3e4907acb1fd27501f799cb2966c1395e 2025-09-03
FileHash-SHA256 1dfe016ae106feb6112fd689faeaa1d61c19a911493a4201fb510551364f7247 2025-09-03
FileHash-SHA256 1fd96cc95ec3f48e97cfcd08bb15d4dd30c11a5b582776dfa15f1a2e2b4ed94e 2025-09-03
FileHash-SHA256 231af2bfa36b6b0d2e892fbba967062eb0b421ee4f7126709c51adb564d0c5a2 2025-09-03
FileHash-SHA256 2d8e052bb93839dffe77b45be4418f64eeae35a7470a3c20827bae914dc1c7e4 2025-09-03
FileHash-SHA256 2e20410ce8369572beee811f1898f6bc5c6782083aa1cc8e6dacc07b3fd392c9 2025-09-03
FileHash-SHA256 3ee8fa11b85ec7a3e1f3cf3cee2553f795c56610091e373d4a7df344a66ae35d 2025-09-03
FileHash-SHA256 5ccfbeba9aa0f05d2dd4006afd7769f2e186dd321b521617a469936de89aa9a7 2025-09-03
FileHash-SHA256 6ce54331e126fd18c94e854a5e7fe3650a125cc83604f1a27a28f383e5193c07 2025-09-03
FileHash-SHA256 6dab43a75647c20ac46c6f1cc65607dd4d7bb104e234b4f74f301e772e36ab9b 2025-09-03
FileHash-SHA256 7c55af4675cf0a3d173cb4e1b9282425c6e00b6ccfad1a1bcb0fddf29631461e 2025-09-03
FileHash-SHA256 81c87a5a67963eab5193d342781e6b65604f7af74dd5cf7da960d20074da06b5 2025-09-03
FileHash-SHA256 9b03695ca0945995ec6e2bc31662c08b0f499998dcbcd51701bf03add19f1000 2025-09-03
FileHash-SHA256 a64cb2496fb1ef1adf9b5473e664dc1d124634233dd76b4d8fb5aa8d970742b5 2025-09-03
FileHash-SHA256 c1820cc86b5cca32d9b09a191a9461552f1f4477d427270e7440bd9d03737a64 2025-09-03
FileHash-SHA256 d88d27eb6cbc7da8d8c61f42756153f386c7edae7a45b77d7368bfbbf060eddf 2025-09-03
FileHash-SHA256 e8d1d9d6bb13a06fc893323a05063c868ba237b8729c120271384382eb60ed41 2025-09-03
FileHash-SHA256 f340bb3c2d175e027351319573ddc451b632defe9dc47bbc30eabf62f749fb46 2025-09-03
FileHash-SHA256 f46d277baf0bb8d63805ff51367d34a9cbdd7a0a1394ab384fbe12d98c8fc4b8 2025-09-03
domain mssscardprv.ax 2025-09-03
hostname www.estsoft.com 2025-09-03
hostname www.mremoteng.org 2025-09-03
FileHash-MD5 19dbffec4e359a198daf4ffca1ab9165 2025-09-03
FileHash-MD5 23c2569a65870a9e412d98d5b3bdc554 2025-09-03
FileHash-MD5 33c9a47debdb07824c6c51e13740bdfe 2025-09-03
FileHash-MD5 435c7b4fd5e1eaafcb5826a7e7c16a83 2025-09-03
FileHash-MD5 451c23709ecd5a8461ad060f6346930c 2025-09-03
FileHash-MD5 6f2f61783a4a59449db4ba37211fa331 2025-09-03
FileHash-MD5 75a46b23825ce7aa4ca297d93450f4e2 2025-09-03
FileHash-MD5 7cc55f3cc2740e8818648efbec21615f 2025-09-03
FileHash-MD5 893fed20a939e613f2b108096573eb8b 2025-09-03
FileHash-MD5 d3ee425502cb60db1e75ef5bfd232c72 2025-09-03
FileHash-SHA1 1a6366a45cb892cf76af8ba25d114334f1e34532 2025-09-03
FileHash-SHA1 22bbcab055bea7bd45e0081da61b6a567e32accb 2025-09-03
FileHash-SHA1 24cc64543f339d701b7fe6c7e05f41cb54c9dc83 2025-09-03
FileHash-SHA1 3b994549ab4fd9024b2f0155094d7aa43b70bb8f 2025-09-03
FileHash-SHA1 58b0516d28bd7218b1908fb266b8fe7582e22a5f 2025-09-03
FileHash-SHA1 6f391d282a37b770abcedd08c4c0e2156076cd8e 2025-09-03
FileHash-SHA1 7b6e6487b803bbe85d7466b89da51a269fa4fc29 2025-09-03
FileHash-SHA1 91def0a4dd9b35510d7f8897bc114f975a5d7e2b 2025-09-03
FileHash-SHA1 d7ba13662fbfb254acaad7ae10ad51e0bd631933 2025-09-03
FileHash-SHA256 159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3 2025-09-03
FileHash-SHA256 1a051e4a3b62cd2d4f175fb443f5172da0b40af27c5d1ffae21fde13536dd3e1 2025-09-03
FileHash-SHA256 24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a 2025-09-03
FileHash-SHA256 2c164237de4d5904a66c71843529e37cea5418cdcbc993278329806d97a336a5 2025-09-03
FileHash-SHA256 37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef 2025-09-03
FileHash-SHA256 3c8f5cc608e3a4a755fe1a2b099154153fb7a88e581f3b122777da399e698cca 2025-09-03
FileHash-SHA256 4715e5522fc91a423a5fcad397b571c5654dc0c4202459fdca06841eba1ae9b3 2025-09-03
FileHash-SHA256 479cc0a490ffa98652683796c5cef12f3e6380107aac83321a9705048b801b54 2025-09-03
FileHash-SHA256 4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874 2025-09-03
FileHash-SHA256 59a651dfce580d28d17b2f716878a8eff8d20152b364cf873111451a55b7224d 2025-09-03
FileHash-SHA256 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8 2025-09-03
FileHash-SHA256 6510d460395ca3643133817b40d9df4fa0d9dbe8e60b514fdc2d4e26b567dfbd 2025-09-03
FileHash-SHA256 774c71664d5d25775478607e74555462773e525e18237947355228337f433a3b 2025-09-03
FileHash-SHA256 7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68 2025-09-03
FileHash-SHA256 85045d9898d28c9cdc4ed0ca5d76eceb457d741c5ca84bb753dde1bea980b516 2025-09-03
FileHash-SHA256 8c3c8f24dc0c1d165f14e5a622a1817af4336904a3aabeedee3095098192d91f 2025-09-03
FileHash-SHA256 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c 2025-09-03
FileHash-SHA256 9dddf5a1d32e3ba7cc27f1006a843bfd4bc34fa8a149bcc522f27bda8e95db14 2025-09-03
FileHash-SHA256 aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039 2025-09-03
FileHash-SHA256 c66ba5c68ba12eaf045ed415dfa72ec5d7174970e91b45fda9ebb32e0a37784a 2025-09-03
FileHash-SHA256 cc4c18fefb61ec5b3c69c31beaa07a4918e0b0184cb43447f672f62134eb402b 2025-09-03
FileHash-SHA256 d998de6e40637188ccbb8ab4a27a1e76f392cb23df5a6a242ab9df8ee4ab3936 2025-09-03
FileHash-SHA256 e4ce73b4dbbd360a17f482abcae2d479bc95ea546d67ec257785fa51872b2e3f 2025-09-03
FileHash-SHA256 f0321c93c93fa162855f8ea4356628eef7f528449204f42fbfa002955a0ba528 2025-09-03
FileHash-SHA256 f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703 2025-09-03
FileHash-SHA256 f4d8e1a687e7f7336162d3caed9b25d9d3e6cfe75c89495f75a92ca87025374b 2025-09-03
FileHash-SHA256 ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9 2025-09-03
FileHash-SHA1 10da1920639e009539ac4e8b8c740a2c335bf630 2025-09-03
FileHash-SHA1 442f4abac74d844256e3ff60f929b358ded71881 2025-09-03
FileHash-SHA1 56f9b97fee195ed8dea39552eac288aa58cfaf48 2025-09-03
FileHash-SHA1 bddd1fb74bbed46f07743af28cb1e1468df3d3bd 2025-09-03
FileHash-SHA1 bef8714787a76d33d74dc23e7c750e74b57f6f04 2025-09-03
FileHash-SHA1 f8df313a370bc856a0f2c05c6d27e56c56b7448f 2025-09-03
domain aaaaaaa.aaa 2025-09-03
domain aes-secure.net 2025-09-03
domain apdl.cf 2025-09-03
domain arcashop.org 2025-09-03
domain azuredeploypackages.net 2025-09-03
domain azureglobalaccelerator.com 2025-09-03
domain calendly.live 2025-09-03
domain dpkgrepo.com 2025-09-03
domain file.name 2025-09-03
domain ftxstock.com 2025-09-03
domain jdkgradle.com 2025-09-03
domain keondigital.com 2025-09-03
domain latamics.org 2025-09-03
domain lmaxtrd.com 2025-09-03
domain nansenpro.com 2025-09-03
domain oncehub.co 2025-09-03
domain paxosfuture.com 2025-09-03
domain picktime.live 2025-09-03
domain pypilibrary.com 2025-09-03
domain pypistorage.com 2025-09-03
domain vipyrsec.com 2025-09-03
hostname decoded.avast.io 2025-09-03
hostname go.oncehub.co 2025-09-03
hostname www.natefi.org 2025-09-03
hostname www.plexisco.com 2025-09-03
References (1)
↗ https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese