Lazarus Group Deploys Advanced RemotePE Memory-Only RAT Targeting Financial and Cryptocurrency Firms
May 25, 2026 – Cybersecurity Intelligence
Researchers have uncovered a sophisticated cross-platform malware tool named RemotePE, actively used by the North Korea-linked Lazarus Group in targeted attacks against financial institutions and cryptocurrency organizations. Detailed by Fox-IT, a subsidiary of NCC Group, RemotePE represents a stealthy, multi-stage Remote Access Trojan (RAT) that operates exclusively in memory, leaving minimal traces and evading traditional detection mechanisms.
Multi-Stage Attack Chain Leveraging DPAPI
RemotePE is deployed through a layered attack sequence involving two loaders known as DPAPILoader and RemotePELoader. According to security researchers Yun Zheng Hu and Mick Koomen, “DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API (DPAPI).” Subsequently, RemotePELoader establishes communication with a command-and-control (C2) server and waits to receive the final RemotePE payload, which is executed entirely in memory—never written to disk—resulting in zero filesystem artifacts.
This operational approach significantly reduces forensic footprints and complicates detection efforts, highlighting the malware’s design for prolonged stealthy operations.
Origin and Infection Vector
RemotePE first came to light in September 2025 following an attack on an unnamed decentralized finance (DeFi) sector organization. That intrusion deployed three malware families simultaneously: PondRAT, ThemeForestRAT, and RemotePE.
The initial compromise began with a social engineering attack targeting an employee. The attackers impersonated a trading company employee on Telegram and arranged meetings using fraudulent Calendly and Picktime scheduling domains, demonstrating a highly targeted and personalized campaign.
Technical Details and Evasion Techniques
The infection unfolds in three stages:
-
Stage 1: DPAPILoader DLL (named “Iassvc.dll”) decrypts the RemotePELoader payload from disk using DPAPI. This loader artifact dates back to November 2023, indicating extended development.
-
Stage 2: RemotePELoader contacts a remote C2 server hosted at “aes-secure[.]net” via HTTP. It downloads the core module and executes it directly in memory, employing advanced evasive techniques such as Hell’s Gate—which allows user-mode syscall invocation—and patching Event Tracing for Windows (ETW) to avoid detection by endpoint detection and response (EDR) tools.
-
Stage 3: The final payload, RemotePE RAT, is a comprehensive C++ based remote access trojan that polls the C2 for commands. It supports six categories of instructions, including managing the C2 config, performing file operations, process manipulation, DLL injection, and stealth activities like sleeping or exiting the RAT.
A distinctive feature is its secure file deletion mechanism, where the RAT overwrites files seven times with constant bytes before renaming and deleting them. This method mirrors actions seen in related malware such as PondRAT and POOLRAT (also known as SIMPLESEA), with PondRAT believed to be a lightweight derivative of POOLRAT.
Development and Operational Insights
Fox-IT analyzed four RemotePE samples dated from mid-2023 through mid-2024, with the earliest compilation timestamp from July 4, 2023. The tool’s emphasis on environmental keying, execution solely within memory, evasion of EDR detection, and minimal forensic footprint suggest it’s engineered for long-term espionage and observation rather than immediate disruption.
Researchers noted, “This allows the actor to quietly maintain access over an extended period before executing a high-impact objective such as data theft or a major financial heist, which aligns with Lazarus Group’s historical operation patterns.”
Notably, the malware’s agent-in-the-loop delivery model and low detection rate (with neither RemotePELoader nor RemotePE appearing on VirusTotal before this disclosure) imply that this toolset is likely reserved for high-value targets, especially within financial and cryptocurrency domains where stealthy, persistent access is paramount.
Implications for Financial and Crypto Sectors
This revelation underscores the increasing sophistication of threats facing financial institutions and cryptocurrency entities, sectors that continue to attract state-sponsored actors like Lazarus due to their lucrative potential.
Organizations are urged to enhance their cybersecurity defenses by focusing on advanced behavioral detection mechanisms capable of identifying in-memory threats and to be vigilant against targeted social engineering attacks that compromise endpoint security as an initial access vector.
For continuous updates on cybersecurity threats, follow The Hacker News on Google News, Twitter, and LinkedIn.
Reported by Ravie Lakshmanan – Endpoint Security / Threat Intelligence
The Hacker News – Your #1 Trusted Cybersecurity News Platform