Poolrat
POOLRAT is a Lazarus Group-associated macOS backdoor malware family. The provided reporting states it is also known as SIMPLESEA and was previously attributed to Lazarus. It has been linked to activity related to the 3CX supply-chain compromise; Mandiant later corrected an earlier identification and assessed that 3CX’s macOS build server was compromised with the POOLRAT backdoor, using Launch Daemons for persistence. POOLRAT is also referenced as sharing a distinctive secure file-deletion pattern with other Lazarus tooling: files are overwritten seven times before renaming and deletion. Additional reporting in the content states that PondRAT is assessed to be a lighter version of POOLRAT, and that Linux and macOS POOLRAT variants share highly similar configuration-loading and command-handling structures. The malware is associated with Lazarus-linked clusters including UNC4736 / Gleaming Pisces / Citrine Sleet in related reporting. High-confidence behavioral details directly mentioned in the content include its role as a backdoor on macOS, use in Lazarus operations, Launch Daemons persistence in the 3CX case, and overlap in secure deletion behavior with other Lazarus malware families.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
RemotePE also implements secure file deletion functionality by repeatedly overwriting files seven times prior to deletion, behavior previously associated with Lazarus-linked malware families such as PondRAT and POOLRAT.
One notable exception is the file deletion command, which overwrites each file with constant bytes seven times before renaming and deleting it, a secure deletion pattern consistent with PondRAT and POOLRAT, two malware families previously associated with this actor.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques"The attackers behind this campaign uploaded several poisoned Python packages to PyPI..." ... "Successful installation of malicious third-party packages can result in malware infection that compromises an entire network."
"SentinelOne began to see a spike in behavioral detections of the 3CXDesktopApp... Behavioral detections prevented these trojanized installers from running... The compromise includes a code signing certificate used to sign the trojanized binaries."
"Operation Dream Job, wherein prospective targets are lured with enticing job offers in an attempt to trick them into downloading malware."
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
2 techniquesBefore contacting its command-and-control server, it removes security hooks placed by endpoint protection products and disables Windows event tracing, allowing the malware to operate with little or no visibility to defenders.
RemotePE also implements secure file deletion functionality by repeatedly overwriting files seven times prior to deletion, behavior previously associated with Lazarus-linked malware families such as PondRAT and POOLRAT.
Command and Control
1 technique"...runs the Linux and macOS versions of the RAT malware after retrieving them from a remote server." ... "the mechanism that handles commands from the [command-and-control server] is nearly identical."
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Lazarus-linked RAT family referenced because it shares secure file deletion behavior with RemotePE.
A Lazarus RAT mentioned for sharing a secure deletion pattern with RemotePE.
A malware family previously associated with the same actor; cited here because its secure deletion behavior resembles RemotePE's file deletion implementation.
macOS (and newly noted Linux) backdoor attributed to Lazarus Group; shares code structure and C2 command-handling mechanisms with PondRAT and is associated with supply-chain related activity (e.g., 3CX).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.