Three Lazarus RATs coming for your cheese

This Fox-IT/NCC Group report documents a Lazarus subgroup targeting cryptocurrency and DeFi organizations via Telegram social engineering, suspected Chrome zero-day exploitation, and staged deployment of multiple RATs (PondRAT, ThemeForestRAT) followed by a more advanced RemotePE loader; it analyzes persistence (phantom DLL loading with PerfhLoader), C2 protocols, command functionality, ties to POOLRAT/ROMEOGOLF-era tooling, and provides extensive IOCs, YARA rules, and detection guidance.