Pondrat

Malware updated a month ago (2024-10-17T13:04:14.198Z)
Download STIX
Preview STIX
PondRAT is a type of malware, specifically a Remote Access Trojan (RAT) variant, that targets Linux and macOS systems. It was first identified in 2021 as part of a cryptocurrency-themed Kupay Wallet macOS malware package during an AppleJeus campaign, according to a report by the Cybersecurity & Infrastructure Security Agency (CISA). The malware can infiltrate a system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data for ransom. The malware has been distributed in various ways, including through malicious packages on Python Package Index (PyPI). In February 2024, analysis of these packages revealed another sample identified as PondRAT. Attackers have also used similar methods with other types of malware such as Comebacker, which was part of a campaign targeting security researchers in 2020. Since its first appearance, seven samples of PondRAT have been identified on macOS or Linux systems. Prevention and detection alerts have been implemented for each type of malware, including PondRAT, by cybersecurity companies like Cortex. These alerts were effective in blocking a PondRAT Linux sample. Additionally, Palo Alto Networks observed a PondRAT variant for macOS using rebelthumb.net as its command-and-control domain. This backdoor in the campaign was named PondRAT by Palo Alto, underlining the ongoing efforts to combat this and other malicious software threats.
Description last updated: 2024-10-17T12:18:41.772Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Poolrat is a possible alias for Pondrat. POOLRAT is a malicious software (malware) first reported by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021. It primarily targets macOS and Linux systems, functioning as a backdoor to gain unauthorized access. The malware was initially identified as a file named 'prtspool', suspe
2
AppleJeus is a possible alias for Pondrat. AppleJeus is a malware attributed with medium confidence to the North Korea-linked APT group "Gleaming Pisces," also known as Citrine Sleet, by researchers at Palo Alto's Unit 42. The group has been notorious for distributing versions of AppleJeus malware disguised as legitimate cryptocurrency tradi
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Macos
Linux
Python
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Gleaming Pisces Threat Actor is associated with Pondrat. Gleaming Pisces, also known as Citrine Sleet, is a threat actor group linked to North Korea that has been active since at least 2018. This group is known for its sophisticated attacks against the cryptocurrency industry and has shown an affinity for targeting MacOS and Linux systems, forgoing the trhas used
2
Source Document References
Information about the Pondrat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more