Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms

Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms Ravie LakshmananMay 25, 2026Endpoint Security / Threat Intelligence Cybersecurity researchers have shed light on a cross-platform malware called RemotePE that has been put to use by the North Korea-linked Lazarus Group in attacks targeting financial and cryptocurrency organizations. RemotePE, per NCC Group subsidiary Fox-IT, is part of a multi-stage attack chain that involves two loaders tracked as DPAPILoader and RemotePELoader. "DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API (DPAPI)," security researchers Yun Zheng Hu and Mick Koomen said. "RemotePELoader beacons to a C2 server and waits until it receives the next stage: RemotePE, a RAT executed entirely in memory and never written to disk, leaving no filesystem artifacts." RemotePE was first highlighted by the security vendor in September 2025 in connection with an attack targeting an unnamed organization in the decentralized finance (DeFi) sector, leading to the deployment of three malware families, including PondRAT, ThemeForestRAT, and RemotePE. The intrusion commenced with the compromise of an employee's device through social engineering, after having approached the victim on Telegram under the guise of an existing employee of a trading company and scheduling a meeting on fake Calendly and Picktime domains. The RemotePE infection sequence goes through three stages, with the DPAPILoader DLL ("Iassvc.dll") responsible for decrypting and loading an encrypted payload from disk using DPAPI. The earliest DPAPILoader artifact dates back to November 2023. The decrypted payload is another loader, RemotePELoader, which is designed to contact a remote server ("aes-secure[.]net") over HTTP, fetch the core module, and execute it in memory, but not before taking steps to evade detection using techniques like Hell's Gate and patching Event Tracing for Windows (ETW). The final stage is a full-fledged remote access trojan named RemotePE that's written in C++ and polls a command-and-control (C2) server for further instructions. The malware supports six categories of commands, allowing it to - Obtain or modify the C2 configuration Get or change the current working directory, register a new DLL module, get loaded DLLs, and unload a DLL Perform file operations Get a list of running processes, create a new process, or kill process by ID Sleep for a predetermined interval or exit RemotePE Ping the server A notable aspect of the file deletion command is that it overwrites each file with constant bytes seven times before renaming and deleting it, a pattern also observed in PondRAT and POOLRAT (aka SIMPLESEA). PondRAT is assessed to be a lightweight version of POOLRAT. Fox-IT said it obtained four RemotePE samples that indicate the RAT was under active development between mid-2023 and mid-2024. The first version has a compilation timestamp of July 4, 2023. "The toolset's environmental keying, memory-only execution, EDR evasion, and low forensic footprint suggest it is purpose-built for long-term observation campaigns," the researchers said. "This allows the actor to quietly maintain access over an extended period before moving to a high-impact final objective such as data theft or a large-scale financial heist, consistent with this actor's known history." "The actor-in-the-loop delivery model and the toolset's low detection rate (neither RemotePELoader nor RemotePE appeared on VirusTotal prior to this publication) suggest this toolset may be reserved for high-value targets where long-term, stealthy access is the objective, consistent with this Lazarus subgroup's known focus on financial and cryptocurrency organizations." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cryptocurrency, cybersecurity, DeFi, endpoint security, Financial Security, lazarus group, Malware, Remote Access Trojan, Social Engineering, Threat Intelligence ⚡ Top Stories This Week Microsoft Warns of Two Actively Exploited Defender Vulnerabilities GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos The New Phishing Click: How OAuth Consent Bypasses MFA Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros Developer Workstations Are Now Part of the Software Supply Chain MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Load More ▼ ⭐ Featured Resources Claim ANY.RUN Anniversary Offer for Faster Malware Analysis Discover How to Navigate the Era of Constant Cyber Exposure [Guide] Learn to Detect AI Typosquatting Risks in Your Domain [Guide] Get Key Identity Security Insights From 2026 Snapshot