top of page

Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Organizations

  • May 26
  • 2 min read

Key Findings


  • North Korea-linked Lazarus Group deployed RemotePE, a memory-only RAT, against financial and cryptocurrency organizations

  • RemotePE executes entirely in memory with no filesystem artifacts, making it difficult to detect and analyze

  • Attack chain uses two loaders (DPAPILoader and RemotePELoader) to decrypt and deploy the final payload using Windows DPAPI

  • Malware employs advanced evasion techniques including Hell's Gate and Event Tracing for Windows (ETW) patching

  • RemotePE supports six command categories for remote control including process management, file operations, and C2 configuration changes

  • Low detection rate suggests toolset is reserved for high-value targets requiring long-term stealthy access


Background


Fox-IT researchers first identified RemotePE in September 2025 during an attack on a decentralized finance organization. The intrusion began with social engineering when an attacker contacted a victim via Telegram, impersonating a trading company employee and using fake Calendly and Picktime domains to schedule meetings. This initial compromise led to deployment of multiple malware families including PondRAT and ThemeForestRAT alongside RemotePE.


The Attack Chain


The RemotePE infection sequence operates in three distinct stages. The first stage involves DPAPILoader, a DLL named "Iassvc.dll" that uses the Windows Data Protection API to decrypt and load an encrypted payload from disk. Researchers traced the earliest DPAPILoader artifacts back to November 2023.


The decrypted payload becomes RemotePELoader, which contacts a remote server at "aes-secure[.]net" over HTTP. Before fetching and executing the core module in memory, RemotePELoader actively evades detection by employing Hell's Gate and patching Event Tracing for Windows.


The final stage deploys RemotePE itself, a full-featured remote access trojan written in C++. It polls a command-and-control server for instructions and never touches the disk, leaving virtually no forensic evidence behind.


Capabilities and Design


RemotePE supports six command categories that give operators extensive control. These commands allow attackers to obtain or modify C2 configuration, manage directories and DLL modules, perform file operations, manipulate processes, control timing intervals, and ping the server for connectivity checks.


A particularly notable feature is the file deletion command, which overwrites each target file with constant bytes seven times before renaming and deleting it. This same pattern appears in other Lazarus tools like PondRAT and POOLRAT, suggesting shared development practices across their toolkits.


Analysis of four RemotePE samples showed active development between mid-2023 and mid-2024, with the first compilation timestamp dated July 4, 2023. Neither RemotePELoader nor RemotePE appeared on VirusTotal before researchers published their findings, indicating the toolset remained undetected in the wild.


Purpose-Built for Persistence


Researchers assess that RemotePE's environmental keying, memory-only execution, EDR evasion capabilities, and minimal forensic footprint indicate it was purpose-built for extended observation campaigns. This design allows Lazarus operators to maintain quiet access over long periods before executing high-impact objectives like data theft or financial heists.


The actor-in-the-loop delivery model combined with the toolset's low detection rate suggests it's reserved specifically for high-value targets where stealthy long-term access is the primary goal. This aligns perfectly with what researchers know about this particular Lazarus subgroup's historical focus on financial and cryptocurrency organizations.


Sources


  • https://thehackernews.com/2026/05/lazarus-deploys-remotepe-memory-only.html

  • https://www.threads.com/@barrebull/post/DYwzihUliPN/lazarus-deployed-a-new-memory-only-rat-against-crypto-and-financial

  • https://www.socdefenders.ai/item/af87d559-1e43-4df6-abf2-fa3eae4e6916

  • https://www.reddit.com/r/InfoSecNews/comments/1tn7vnu/lazarus_deploys_remotepe_memoryonly_rat_against

  • https://x.com/TheCyberSecHub/status/2058863211303362934

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page