This report analyzes three remote access trojans (RATs) used by a Lazarus subgroup targeting financial and cryptocurrency organizations: PondRAT, ThemeForestRAT, and RemotePE. It details an incident response case from 2024 involving social engineering and possible zero-day exploitation. PondRAT is described as a simple initial access tool, while ThemeForestRAT is a more capable memory-only RAT used in conjunction. RemotePE appears to be an advanced RAT deployed in later attack stages. The analysis reveals connections between these tools and previously known Lazarus malware like POOLRAT. The report highlights the actor's persistence, sophistication, and continued threat to financial targets.