Cybersecurity researchers said the North Korea-linked Lazarus Group has used a cross-platform malware called RemotePE in attacks against financial and cryptocurrency organizations, with the final remote access trojan running entirely in memory and leaving no filesystem artifacts.
KEY FACTS
- Malware chain The infection used two loaders, DPAPILoader and RemotePELoader, before the final RemotePE payload ran.
- Memory-only execution The RAT was executed in memory and was not written to disk.
- Initial access The intrusion began after social engineering on Telegram and fake Calendly and Picktime domains.
- Timeline Samples suggest active development from mid-2023 to mid-2024, with the earliest artifact dated July 4, 2023.
In a technical analysis, Fox-IT said DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API. RemotePELoader then contacts a command-and-control server and waits for the next stage.
The report said the malware uses detection-evasion techniques including Hell’s Gate and ETW patching. It also said the final RemotePE trojan is written in C++ and supports commands for file operations, process control, configuration changes, module management, sleep, exit and server pinging.
Fox-IT said it first highlighted RemotePE in September 2025 after a separate attack against an unnamed decentralized finance organization. That case involved three malware families, including PondRAT, ThemeForestRAT and RemotePE.
The disclosure also said file deletion commands overwrite data seven times before renaming and deleting files, a pattern also seen in PondRAT and POOLRAT. Fox-IT said neither RemotePELoader nor RemotePE appeared on VirusTotal before the publication.
WHY IT MATTERS
The low forensic footprint and memory-only execution make the malware harder to detect during long intrusions. For targets in finance and cryptocurrency, that raises the risk of prolonged access before attackers move to theft or other high-impact activity.