Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms
New research from Fox-IT reveals RemotePE, a cross-platform memory-only RAT used by North Korea's Lazarus Group to stealthily target financial and cryptocurrency organizations.
Cybersecurity researchers at Fox-IT, part of NCC Group, have published a detailed analysis of RemotePE, a sophisticated cross-platform remote access trojan (RAT) deployed by the North Korea-linked Lazarus Group against financial and cryptocurrency organizations. The malware is engineered to operate entirely in memory, leaving no trace on disk and evading traditional endpoint detection systems.
RemotePE is delivered through a multi-stage attack chain involving two distinct loaders: DPAPILoader and RemotePELoader. According to researchers Yun Zheng Hu and Mick Koomen, DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API (DPAPI). RemotePELoader then beacons to a command-and-control (C2) server and waits to receive the final payload—RemotePE—which is executed entirely in memory and never written to disk, leaving no filesystem artifacts.
The attack chain begins with social engineering. In one observed incident from September 2025 targeting an unnamed decentralized finance (DeFi) organization, the Lazarus operator contacted the victim on Telegram, posing as an employee of a trading company, and scheduled a meeting using fake Calendly and Picktime domains. This tactic led to the compromise of the employee's device and the deployment of three malware families, including PondRAT, ThemeForestRAT, and RemotePE.
The earliest DPAPILoader artifact dates back to November 2023. RemotePELoader contacts a C2 server over HTTP at "aes-secure[.]net" to fetch the core module, employing evasion techniques such as Hell's Gate and patching Event Tracing for Windows (ETW) to avoid detection by security tools. RemotePE itself, written in C++, polls its C2 server for instructions and supports six categories of commands, including C2 configuration management, file operations, process manipulation, DLL loading, and self-termination. Notably, its file deletion command overwrites each file with constant bytes seven times before renaming and deleting it—a pattern also observed in PondRAT and POOLRAT (aka SIMPLESEA). PondRAT is considered a lightweight variant of POOLRAT.
Fox-IT obtained four RemotePE samples spanning development activity between mid-2023 and mid-2024, with the earliest sample compiled on July 4, 2023. The researchers note that neither RemotePELoader nor RemotePE appeared on VirusTotal prior to their publication, underscoring the toolset's stealth. "The toolset's environmental keying, memory-only execution, EDR evasion, and low forensic footprint suggest it is purpose-built for long-term observation campaigns," the researchers said. "This allows the actor to quietly maintain access over an extended period before moving to a high-impact final objective such as data theft or a large-scale financial heist, consistent with this actor's known history."
The Lazarus Group's sustained focus on the cryptocurrency and financial sectors continues to evolve its arsenal, with RemotePE representing a notable advancement in operational security. The actor-in-the-loop delivery model and low detection rate suggest that these tools are reserved for high-value targets where long-term, stealthy access is paramount, consistent with a Lazarus subgroup known to prioritize financial and cryptocurrency organizations.