Fox-IT and NCC Group analyzed a Lazarus subgroup targeting financial and cryptocurrency organizations, overlapping with activity linked to AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces. In a 2024 DeFi intrusion, the actor used Telegram social engineering with fake meeting websites and likely compromised an employee machine before deploying PondRAT. The actor established persistence through SessionEnv phantom DLL loading by placing PerfhLoader in %SystemRoot%\System32\, configuring the service to start automatically, and modifying required privileges to include SeDebugPrivilege and SeLoadDriverPrivilege. After gaining a foothold, the actor used RATs and tools for discovery, screenshots, keylogging, credential harvesting, and proxying, including Mimikatz, frpc, Proxy Mini, and actor-developed utilities. PondRAT and ThemeForestRAT were used for about three months before the actor removed those artifacts and installed the more advanced RemotePE RAT, suggesting a staged intrusion lifecycle against cryptocurrency-sector targets.