North Korea's Lazarus Group Uses New 'RemotePE' Malware to Evade Detection in Financial Sector Attacks

Lazarus Group Unleashes 'RemotePE' Memory-Only RAT in Attacks on Financial and Crypto Firms

HIGH
May 25, 2026
5m read
Threat ActorMalwarePhishing

Related Entities

Threat Actors

Lazarus Group

Products & Tech

Windows Data Protection API (DPAPI)Telegram

Other

RemotePEDPAPILoaderRemotePELoaderPondRATPOOLRAT

MITRE ATT&CK Techniques

T1566.002Initial Access

Spearphishing Link

T1620Defense Evasion

Reflective Code Loading

T1555.001Defense Evasion

Credentials from Password Stores

T1071.001Command and Control

Web Protocols

T1485Impact

Data Destruction

Full Report

Executive Summary

Researchers have identified a new, sophisticated malware campaign attributed to the Lazarus Group, a threat actor linked to North Korea. The campaign utilizes a previously unseen, cross-platform Remote Access Trojan (RAT) called RemotePE. This malware is designed for stealth, operating entirely in memory to evade detection by traditional, file-based antivirus solutions. The attacks target organizations in the financial and cryptocurrency sectors, leveraging a multi-stage infection process that begins with social engineering. The final RemotePE payload provides the attackers with full control over the compromised system, including capabilities for file manipulation, process management, and secure data deletion.

Threat Overview

The attack begins with social engineering, where Lazarus Group operatives engage with targets on platforms like Telegram, posing as recruiters or business partners. They lure victims into scheduling meetings on fraudulent domains, which ultimately leads to the compromise of an employee's device. This initial access is used to deliver the first stage of the malware, a loader named DPAPILoader.

DPAPILoader's sole purpose is to decrypt and execute the second-stage loader, RemotePELoader, from the disk. It uses the legitimate Windows Data Protection API (DPAPI) for decryption, a technique that helps it blend in with normal system activity. RemotePELoader then communicates with a command-and-control (C2) server (e.g., aes-secure[.]net) to fetch the final payload, the RemotePE RAT. Crucially, this payload is loaded directly into the process's memory and is never written to the disk, making it a fileless threat.

Technical Analysis

The infection chain is meticulously crafted to evade detection at each step:

  1. Initial Access: The campaign uses T1566.002 - Spearphishing Link, with social engineering on messaging platforms directing victims to malicious sites.

  2. Defense Evasion & Execution: The DPAPILoader uses the Windows DPAPI to decrypt the next stage. This is a known technique for defense evasion and credential access, tracked as T1555.001 - Credentials from Password Stores, as DPAPI is used to protect secrets. The most critical evasion technique is loading the final payload directly into memory, a form of T1620 - Reflective Code Loading. This fileless approach bypasses security products that rely on scanning files on disk.

  3. Command and Control: RemotePELoader establishes a C2 channel using T1071.001 - Web Protocols to download the RemotePE module.

  4. Impact: The RemotePE RAT is a full-featured C++ trojan. It allows for file operations, process execution, and configuration changes. A notable feature is its secure file deletion command, which overwrites files with constant bytes seven times before deletion. This anti-forensics technique, a form of T1485 - Data Destruction, has also been observed in other Lazarus Group tools like PondRAT and POOLRAT, strengthening the attribution.

Impact Assessment

The use of a memory-only RAT poses a significant threat to the targeted financial and cryptocurrency firms. The malware's stealthy nature allows it to persist undetected for longer periods, giving attackers ample time to conduct reconnaissance, steal credentials, and exfiltrate sensitive financial data or digital assets. The cross-platform nature of the malware suggests that it could be deployed against a variety of operating systems, broadening its potential impact. The established link to Lazarus Group indicates that the motive is likely financial theft to fund the North Korean regime.

IOCs — Directly from Articles

Type
domain
Value
aes-secure[.]net
Description
Command-and-control (C2) server used by RemotePELoader.

Cyber Observables — Hunting Hints

Security teams should hunt for the following patterns to detect RemotePE activity:

Type
process_name
Value
Anomalous processes making network connections, especially those spawned by office applications or browsers.
Description
Look for processes that have no on-disk executable file (fileless).
Type
api_endpoint
Value
CryptUnprotectData
Description
Monitoring calls to this Windows API function could indicate the DPAPILoader is attempting to decrypt its next stage.
Type
network_traffic_pattern
Value
Outbound connections to aes-secure[.]net or other newly registered/suspicious domains.
Description
Egress traffic filtering and analysis is key to spotting C2 communications.
Type
memory_pattern
Value
Strings related to file management, process creation, or configuration settings within a process's memory that has no corresponding file.
Description
Memory forensics or live memory scanning with YARA rules can uncover the in-memory RAT.

Detection & Response

  1. Memory Analysis: Since RemotePE is fileless, detection hinges on memory analysis. EDR solutions with capabilities for scanning process memory and identifying reflective loading are essential. D3FEND's D3-PA: Process Analysis is the primary defensive technique.

  2. Behavioral Monitoring: Monitor for chains of suspicious behavior, such as a user on Telegram downloading a file, which then spawns a loader that makes a network connection. EDR tools can correlate these events to detect the infection chain.

  3. Network Traffic Analysis: Decrypt and inspect outbound network traffic. Look for connections to known malicious domains like aes-secure[.]net or other suspicious indicators. This is an application of D3-NTA: Network Traffic Analysis.

Mitigation

  1. User Training: Train employees to be skeptical of unsolicited contact on social media and messaging platforms, especially those involving job offers or business proposals that lead to downloading files. This directly counters the initial access vector and maps to M1017 - User Training.

  2. Endpoint Hardening: Implement Attack Surface Reduction (ASR) rules to block or audit suspicious behaviors, such as office applications creating executable content or script-based attacks.

  3. Advanced Endpoint Protection: Deploy an EDR solution that provides visibility into memory and process behavior, not just file-based threats. This is critical for detecting fileless malware like RemotePE. This aligns with M1049 - Antivirus/Antimalware and M1040 - Behavior Prevention on Endpoint.

Timeline of Events

1
May 25, 2026
This article was published

MITRE ATT&CK Mitigations

Behavior Prevention on Endpoint

M1040enterprise

Using an EDR to monitor for suspicious process chains and in-memory execution is key to detecting and stopping fileless malware.

User Training

M1017enterprise

Educating users about social engineering tactics on platforms like Telegram can prevent the initial compromise.

Filter Network Traffic

M1037enterprise

Inspecting and filtering egress network traffic can block C2 communications, even if the malware is already running.

Antivirus/Antimalware

M1049enterprise

Modern AV/EDR solutions with memory scanning and behavioral analysis capabilities are required to combat threats like RemotePE.

Sources & References

Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms
The Hacker News (thehackernews.com) May 25, 2026
DragonForce Strikes at HELIX INTERNATIONAL
DeXpose (dexpose.io) May 25, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Lazarus GroupRemotePEFileless MalwareMemory-only RATCryptocurrencyFinanceNorth Korea

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.