← Threat Intelligence
Nation-State Malware

Lazarus Group Deploys Memory-Only RemotePE RAT Against Financial Targets

Matt Lucas  |  May 27, 2026  |  5 min
DPRK LAZARUS Telegram lure DPAPILoader Iassvc.dll Stage 1 • DPAPI decrypt RemotePELoader ETW patch + Hell's Gate Stage 2 • EDR bypass aes-secure[.]net RemotePE in-memory RAT Stage 3 • C++ • 0 AV detections 7x overwrite anti-forensics PondRAT link Lazarus Group — RemotePE attack chain — memory-only execution
3-Stage
Infection Chain
0
VirusTotal Detections Pre-Disclosure
Nov 2023
First DPAPILoader Sample
7x
File Overwrite Before Deletion
TL;DR
  • What: Lazarus Group is deploying RemotePE, a memory-only C++ RAT delivered via a 3-stage chain: DPAPILoader (Iassvc.dll) then RemotePELoader then the in-memory RAT fetched from aes-secure[.]net, with EDR bypasses via Hell's Gate and ETW patching.
  • Impact: Zero VirusTotal detections prior to Fox-IT's disclosure; the malware leaves no filesystem artifacts, enabling extended undetected access against financial and cryptocurrency organizations.
  • Fix / mitigation: No patch exists for a novel RAT — deploy EDR with memory-scanning and behavioral analysis, monitor for suspicious DPAPI usage and aes-secure[.]net C2 connections, and enforce ETW integrity checks.
  • Who's at risk: Financial institutions and DeFi/cryptocurrency firms are primary targets; the toolset is assessed to be reserved for high-value, long-dwell operations preceding large-scale heists.

North Korea's Lazarus Group has deployed a new cross-platform malware framework called RemotePE in attacks targeting financial and cryptocurrency organizations. According to research from Fox-IT, the NCC Group subsidiary, RemotePE operates entirely in memory without writing to disk, eliminating filesystem artifacts that security tools typically rely on for detection. The RAT was discovered during investigation of a September 2025 attack on a decentralized finance organization.

Three-Stage Infection Chain

RemotePE deploys through a sophisticated multi-stage attack chain involving two custom loaders. The first stage uses DPAPILoader, a DLL file named 'Iassvc.dll' that decrypts and loads the second-stage payload using Windows Data Protection API. Fox-IT researchers traced the earliest DPAPILoader artifact to November 2023, indicating this toolset has been operational for over two years.

The second stage, RemotePELoader, contacts a command-and-control server at aes-secure[.]net over HTTP to fetch the final payload. Before execution, RemotePELoader employs advanced evasion techniques including Hell's Gate and Event Tracing for Windows patching to bypass endpoint detection and response systems. The final stage, RemotePE itself, executes entirely in memory as a full-featured remote access trojan written in C++.

Social Engineering Entry Point

The attack chain begins with targeted social engineering. In the documented DeFi sector intrusion, threat actors approached an employee on Telegram while impersonating an existing employee of a trading company. The attackers established trust before scheduling a meeting using fake Calendly and Picktime domains, ultimately compromising the victim's device. This approach demonstrates Lazarus Group's continued reliance on human manipulation as the initial access vector.

Zero Detection Rate

Neither RemotePELoader nor RemotePE appeared on VirusTotal prior to Fox-IT's public disclosure. The actor-in-the-loop delivery model and memory-only execution allowed the toolset to remain completely undetected by traditional antivirus scanning.

RAT Capabilities and Command Structure

RemotePE polls its C2 server for instructions and supports six command categories. The malware can obtain or modify C2 configuration settings, manage the file system through directory navigation, and handle DLL module registration, loading, and unloading operations. File operation capabilities include standard manipulation functions, while process management allows listing running processes, creating new processes, and terminating processes by ID.

Additional commands enable the RAT to sleep for predetermined intervals, exit execution, or ping the server to maintain connectivity. The file deletion functionality includes a distinctive anti-forensics feature: files are overwritten with constant bytes seven times before being renamed and deleted. This same pattern appears in related Lazarus malware families PondRAT and POOLRAT (also tracked as SIMPLESEA), providing a clear operational signature linking these tools.

Active Development Timeline

Fox-IT obtained four RemotePE samples revealing active development between mid-2023 and mid-2024. The first version carries a compilation timestamp of July 4, 2023. This development timeline, combined with the November 2023 DPAPILoader discovery, indicates Lazarus invested significant resources in building and refining this toolset over at least a 12-month period before operational deployment.

Reserved for High-Value Operations

Fox-IT assesses RemotePE is reserved for high-value targets requiring long-term, stealthy access. The toolset's environmental keying, memory-only execution, EDR evasion, and minimal forensic footprint suggest purpose-built design for extended observation campaigns preceding high-impact objectives like data theft or large-scale financial heists.

Detection and Mitigation Challenges

The memory-only execution model presents significant detection challenges for security teams. Traditional signature-based detection and file scanning approaches fail against malware that never touches disk. Organizations must implement memory forensics capabilities, behavioral analysis, and network traffic monitoring to identify RemotePE activity. Monitoring for DPAPI usage patterns, suspicious DLL loading behavior, and connections to known C2 infrastructure provides potential detection opportunities.

The social engineering entry point requires security awareness training emphasizing verification of meeting requests and communication from supposed colleagues. Organizations should implement strict verification procedures for scheduling tools and maintain updated threat intelligence on Lazarus Group tactics. Financial and cryptocurrency firms face elevated risk and should prioritize endpoint detection and response solutions capable of memory scanning, behavioral analysis, and detection of advanced evasion techniques like ETW patching.

Strategic Implications

RemotePE represents continued sophistication in North Korean state-sponsored cyber operations against financial targets. The toolset's design prioritizes stealth over speed, enabling prolonged reconnaissance before executing final objectives. This patience aligns with Lazarus Group's historical pattern of extended access maintenance before conducting major cryptocurrency heists or financial data theft operations. The low detection rate and actor-controlled delivery model indicate this framework represents tier-one capabilities reserved for operations with substantial revenue potential or strategic intelligence value.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us

Related coverage

Nation StateGhostwriter Deploys Prometheus-Themed Phishing Campaign Against Ukrainian GovernmentNation StateGREYVIBE: Russia-Linked Threat Group Uses AI to Target UkraineNation StateTurla Transforms Kazuar Backdoor Into Modular P2P Botnet for Long-Term Espionage

Defend against this

RedEye builds the detection. Caver runs it. The feed ships it to your SIEM.

Managed Detection & Response →ICS / OT Security →Caver SIEM →Live detection feed →