Lazarus Group Deploys RemotePE Memory-Only RAT Targeting Financial and Cryptocurrency Firms
May 25, 2026 — In a significant development in cyber threat intelligence, researchers have unveiled a sophisticated cross-platform malware known as RemotePE, actively used by the North Korea-linked Lazarus Group. This malware campaign specifically targets organizations in the financial and cryptocurrency sectors, underscoring the ongoing cyber risks faced by these industries.
Multi-Stage Attack Utilizing Memory-Only Remote Access Trojan
Discovered and analyzed by cybersecurity experts from Fox-IT, a subsidiary of NCC Group, RemotePE operates as part of a complex, multi-stage attack chain involving two primary loaders: DPAPILoader and RemotePELoader. According to researchers Yun Zheng Hu and Mick Koomen,
"DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API (DPAPI). RemotePELoader then beacons to a command-and-control (C2) server, awaiting further instructions. The ultimate payload, RemotePE, is a remote access Trojan (RAT) that executes entirely in memory without ever being written to disk, leaving no filesystem artifacts."
This in-memory execution strategy provides the attackers with a stealthy foothold, minimizing chances of detection by traditional endpoint security solutions.
Initial Detection and Attack Vector
RemotePE was first brought to light in September 2025 after an attack on a yet unnamed organization within the decentralized finance (DeFi) sector. The initial intrusion stemmed from social engineering tactics where attackers impersonated a legitimate employee via Telegram. They convinced a target victim to participate in a meeting scheduled through fake Calendly and Picktime domains, which paved the way for device compromise.
Detailed Infection Process
The infection unfolds in three phases:
-
DPAPILoader (DLL named "Iassvc.dll"): This component decrypts and loads an encrypted payload from disk using the Windows Data Protection API. The earliest known artifact of DPAPILoader dates back to November 2023. 2. RemotePELoader: This loader contacts a remote server at aes-secure[.]net via HTTP, retrieves the core RemotePE module, and executes it directly in memory. It uses advanced evasion techniques like Hell’s Gate and patches Event Tracing for Windows (ETW) mechanisms to avoid detection.
-
RemotePE RAT: The main payload is a robust remote access Trojan written in C++. It continuously polls the attacker’s C2 server for commands, supporting six categories that include configuration management, file operations, process control, DLL injection, and stealthy self-termination.
A notable feature is the file deletion command, which securely overwrites files with constant bytes seven times before renaming and deleting them. This behavior is consistent with other malware families linked to Lazarus, such as PondRAT and POOLRAT (also known as SIMPLESEA). Research suggests PondRAT functions as a lightweight derivative of POOLRAT.
Ongoing Development and Stealth Focus
Fox-IT reports having obtained four samples of RemotePE, showing active development from mid-2023 to mid-2024. The earliest sample was compiled on July 4, 2023. Researchers note,
"The toolset’s environmental keying, memory-only execution, endpoint detection and response (EDR) evasion, and minimal forensic footprint highlight its design for prolonged, covert surveillance campaigns."
This stealth-first approach aligns with Lazarus Group’s known tactics of maintaining long-term access before executing high-impact objectives such as large-scale financial theft or sensitive data exfiltration.
Exclusive Use for High-Value Targets
The delivery method involves direct human interaction ("actor-in-the-loop"), and the malware’s components previously evaded detection by major antivirus databases—including VirusTotal—until this disclosure. This low detection rate implies that RemotePE is reserved for highly targeted operations against valuable financial and cryptocurrency institutions.
Implications for Financial and Crypto Sectors
The revelation of RemotePE’s capabilities underlines the persistent and evolving nature of cyber threats facing financial institutions and crypto-related organizations. The Lazarus Group’s sophisticated attack methodology highlights the need for enhanced security measures, including advanced behavioral detection and employee awareness training to counter social engineering exploits.
Stay Informed
To keep updated with the latest cybersecurity news and in-depth threat intelligence, follow us on Google News, Twitter, and LinkedIn.
Reporter: Ravie Lakshmanan
Category: Endpoint Security / Threat Intelligence
Source: The Hacker News
© 2026 The Hacker News. All Rights Reserved.