Bright Nexus

Published on May 25, 2026

Lazarus Group Deploys RemotePE Memory-Only RAT in Financial and Crypto Attacks

Severity
Medium

Detail

Security researchers have uncovered a new malware campaign attributed to the North Korea-linked Lazarus Group, which is actively deploying a sophisticated remote access trojan (RAT) known as RemotePE. The malware is being used in targeted attacks against financial institutions and cryptocurrency organizations.

RemotePE is part of a multi-stage attack framework that relies on stealthy loaders and in-memory execution techniques designed to evade traditional endpoint detection and forensic analysis. The malware operates entirely in memory, leaving no files on disk, significantly reducing detection opportunities.

The campaign was observed as part of Lazarus Group’s continued focus on high-value targets in fintech, decentralized finance (DeFi), and crypto-related sectors.

How?

The attack uses a layered infection chain designed to deliver and execute RemotePE without leaving persistent artifacts on disk.

  1. The initial compromise typically begins through social engineering, where victims are lured via messaging platforms or fake business interactions.
  2. Once the victim system is accessed, the first-stage loader (DPAPILoader) is executed. This loader uses the Windows Data Protection API (DPAPI) to decrypt and load the next stage.
  3. DPAPILoader retrieves and executes RemotePELoader, which then establishes communication with a command-and-control (C2) server.
  4. RemotePELoader beacons to the attacker infrastructure and waits for instructions while preparing in-memory execution of the final payload.
  5. The final payload, RemotePE RAT, is injected and executed entirely in memory—no files are written to disk at any stage.
  6. RemotePE then maintains persistent communication with the C2 server, receiving commands for full system control.

The RemotePE malware is designed with advanced stealth and evasion capabilities, including:

  • Fileless execution: Runs entirely in memory without leaving artifacts on disk
  • Multi-stage loader architecture: Uses DPAPILoader and RemotePELoader to deliver the payload
  • DPAPI-based decryption: Leverages Windows Data Protection API to decrypt payloads
  • EDR evasion techniques: Includes methods such as API unhooking and system tracing bypass
  • C2 communication: Regular beaconing to attacker-controlled infrastructure
  • Memory-based payload delivery: Final RAT is never written to disk

Researchers also noted that the malware includes secure deletion-like behavior in some variants, overwriting data multiple times before removal to hinder forensic recovery.

Figure 1: The three-stage chain: DPAPILoader decrypts and loads RemotePELoader from disk, which retrieves and executes RemotePE in memory

Impact

Successful deployment of RemotePE can result in full system compromise and long-term stealthy access to victim environments. The Potential impacts include:

  • Complete remote control of infected endpoints
  • Theft of financial and cryptocurrency assets
  • Credential harvesting from enterprise systems
  • Lateral movement within corporate networks
  • Long-term undetected persistence in high-value environments
  • Data exfiltration from sensitive financial infrastructure

Due to RemotePE operating entirely in memory, traditional disk-based forensic tools may fail to detect or recover evidence of compromise.

Recommendation

Organizations are strongly advised to implement the following mitigations:

  • Enhance endpoint detection with memory-based and behavioral analysis capabilities
  • Monitor for unusual process injection and in-memory execution patterns
  • Implement strict application allowlisting on high-value systems
  • Strengthen user awareness against social engineering and fake meeting invitations
  • Restrict execution of untrusted scripts and binaries from messaging platforms
  • Monitor outbound traffic for abnormal beaconing behavior to unknown C2 domains
  • Deploy EDR solutions capable of detecting API hooking and memory manipulation techniques
  • Segment financial and development environments to reduce lateral movement risk
  • Regularly audit endpoints for anomalous loader activity or injection chains

Conclusion

The RemotePE campaign highlights the continued evolution of Lazarus Group operations toward highly stealthy, fileless malware designed to evade traditional detection mechanisms. By executing entirely in memory and leveraging multi-stage loader chains, the attackers are able to maintain long-term, covert access to financial and cryptocurrency environments.

Organizations operating in high-value sectors should prioritize memory-level threat detection, strengthen social engineering defenses, and continuously monitor abnormal behavior in endpoint and network activity to mitigate the risk posed by this advanced threat actor.

Source
https://thehackernews.com/2026/05/lazarus-deploys-remotepe-memory-only.html
https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/