Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms

Recent investigations by cybersecurity experts have identified a cross-platform malware termed RemotePE, utilized by the Lazarus Group, which is linked to North Korea. The primary targets of these attacks include financial and cryptocurrency companies.

According to researchers from NCC Group's subsidiary, Fox-IT, RemotePE is integral to a multi-stage attack strategy that incorporates two loaders known as DPAPILoader and RemotePELoader.

"DPAPILoader decrypts and loads RemotePELoader from disk by leveraging the Windows Data Protection API (DPAPI)," state security analysts Yun Zheng Hu and Mick Koomen. "Following this, RemotePELoader establishes a connection to a command-and-control (C2) server and waits for the subsequent stage: RemotePE, a RAT that operates exclusively in memory without creating any disk-based artifacts."

RemotePE was initially highlighted by the security vendor in September 2025, linked to an attack against an unnamed entity within the decentralized finance (DeFi) landscape. This attack resulted in the deployment of three distinct malware families, including PondRAT, ThemeForestRAT, and RemotePE.

Attack Chain and Initial Compromise

The attack began with the compromise of a staff member’s device through social engineering tactics, with the adversary masquerading as a legitimate employee of a trading firm. The threat actor engaged the victim via Telegram and arranged meetings using fraudulent Calendly and Picktime domains.

The RemotePE infection process unfolds in three stages, beginning with the DPAPILoader DLL ("Iassvc.dll"), which is tasked with decrypting and loading an encoded payload from disk utilizing the DPAPI. The earliest recorded instance of the DPAPILoader was traced back to November 2023.

Technical Analysis

The decrypted payload initializes another loader, RemotePELoader, which is crafted to connect to a remote server ("aes-secure[.]net") via HTTP, retrieve the core module, and execute it purely in memory. Prior to execution, the malware employs various evasion techniques, including Hell's Gate and modifies Event Tracing for Windows (ETW) to avoid detection.

The conclusive phase introduces RemotePE, a fully functional remote access trojan constructed in C++. This malware regularly communicates with a C2 server to receive additional commands. It supports six categories of commands enabling it to:

• Obtain or modify the C2 configuration
• Retrieve or alter the current working directory, register new DLL modules, list loaded DLLs, and unload DLLs
• Execute file operations
• Enumerate running processes, initiate new processes, or terminate processes by ID
• Pause for a specified interval or terminate RemotePE
• Ping the server

Significantly, the command designed for file deletion overwrites each file with fixed bytes seven times prior to renaming and deletion. This behavior has been previously identified in PondRAT and POOLRAT (also known as SIMPLESEA). PondRAT is considered a streamlined variant of POOLRAT.

Development Timeline and Assessment

Fox-IT has acquired four RemotePE samples, indicating that the RAT underwent active development from mid-2023 to mid-2024, with the initial version marked by a timestamp of July 4, 2023.

"The features of environmental keying, memory-only operation, evasion of endpoint detection and response (EDR) systems, and minimal forensic trail imply this toolset is purposely designed for extended surveillance campaigns," the researchers noted. "This capability enables the actor to discreetly maintain access over an extended timeframe before proceeding to significant objectives, such as data exfiltration or large-scale financial crimes, which is consistent with the group's historical activities."

"The actor-involved delivery model and the toolset's low rate of detection—neither RemotePELoader nor RemotePE was flagged on VirusTotal prior to this report—indicate this toolset may be strategically reserved for high-value targets, where sustained, stealthy access is prioritized, aligning with the known objectives of this Lazarus subgroup focused on financial and cryptocurrency entities."