Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Lazarus Group social engineering campaign targeting a DeFi organization

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

Lazarus Group ran a social engineering campaign in 2024 that targeted a DeFi organization and compromised an employee system, creating a foothold for malware deployment and credential-harvesting activity. The operation used Telegram impersonation and fake scheduling pages to lure the victim into contact. It then progressed through PerfhLoader and a chain of PondRAT, ThemeForestRAT, and RemotePE tooling.

Related Happenings

RemotePE memory-only RAT activity by Lazarus Group targeting financial and cryptocurrency organizations

Malware Activity
First: 25.05.2026 12:32 Last: 25.05.2026 12:32 Sources 1

How related: The North Korea-linked threat actor known as the Lazarus Group has been attributed to a social engineering campaign that distributes three different pieces of cross-platform malware called PondRAT, ThemeForestRAT, and RemotePE.

About this happening: The **RemotePE** malware has been tied to **Lazarus Group** activity against **financial and cryptocurrency organizations**, raising the risk of stealthy long-term access and late...

Open Happening

REF6598 Obsidian social-engineering campaign targeting finance and crypto users

Campaign
First: 16.04.2026 14:02 Last: 16.04.2026 14:02 Sources 1

About this happening: The **REF6598** operation is using **LinkedIn**, **Telegram**, and **Obsidian** to deliver **PHANTOMPULSE**, creating a targeted intrusion path into **financial** and **cryptocurr...

Open Happening

Handala multi-stage malware with Telegram C2 and exfiltration

Malware Activity
First: 24.03.2026 11:30 Last: 24.03.2026 11:30 Sources 1

About this happening: The **Handala** malware package uses a **multi-stage payload** to give operators **remote access** to infected **Windows** devices, increasing the risk of stealthy data theft. The...

Open Happening

Anonymous Fénix DDoS and volunteer-recruitment campaign

Campaign
First: 23.02.2026 23:59 Last: 23.02.2026 23:59 Sources 1

About this happening: **Anonymous Fénix** escalated its **DDoS** campaign by recruiting volunteers, increasing disruption risk for **government and public-institution domains** across **Spain** and par...

Open Happening

UNC1069 GhostCall cryptocurrency social-engineering campaign

Campaign
First: 11.02.2026 08:50 Last: 11.02.2026 08:50 Sources 1

About this happening: **UNC1069** is **actively targeting the cryptocurrency sector** with a **social-engineering campaign** designed to steal credentials and data for **financial theft**. The operatio...

Open Happening

Timeline

  1. 02.09.2025 19:39 2 articles · 8mo ago

    Lazarus Group targets a DeFi organization with Telegram impersonation and a PondRAT malware chain

    Technical Analysis Update

    Lazarus Group was attributed to a social engineering campaign observed by NCC Group's Fox-IT in 2024 that targeted an organization in the decentralized finance (DeFi) sector and compromised an employee's system. The intrusion used Telegram impersonation of an existing employee, fake Calendly and Picktime websites, PerfhLoader, and a malware chain that included PondRAT, ThemeForestRAT, and RemotePE; Fox-IT also said there was evidence a then-zero-day Chrome browser exploit may have been used.

    Show sources
    Open in new tab