Skip to content

Lazarus Group Deploys RemotePE Remote Access Trojan Against Financial Firms

On point: The Lazarus Group uses RemotePE, a memory-resident remote access trojan, to target financial and cryptocurrency firms. The multi-stage malware leaves no traces on disk and employs evasion techniques to avoid detection.

Security experts have uncovered new malicious software used by the North Korean Lazarus Group to conduct attacks on financial and cryptocurrency firms. RemotePE is a memory-based trojan that leaves no traces on disk.

Security experts from NCC Group and its subsidiary Fox-IT have disclosed details about RemotePE, a cross-platform malware deployed by the North Korean Lazarus Group against financial and cryptocurrency companies.

RemotePE is part of a multi-stage attack chain comprising two loaders: DPAPILoader and RemotePELoader. The DPAPILoader decrypts and loads the RemotePELoader from disk using the Windows Data Protection API (DPAPI). The RemotePELoader then connects to a Command-and-Control server (C2) and remains inactive until it receives the next attack stage: RemotePE, a fully memory-resident remote access trojan that executes without accessing the disk.

RemotePE was first disclosed in September 2025 following an attack on a DeFi organization. The breach began with social engineering: an attacker contacted an employee via Telegram, posing as an employee of a trading firm. The injected malware included PondRAT, ThemeForestRAT, and RemotePE.

The infection chain consists of three stages. The DPAPILoader is a DLL that decrypts and loads an encrypted payload from disk using DPAPI. The first known sample appeared in November 2023. After decryption, the RemotePELoader is deployed, which establishes a connection to a command server. The malware employs evasion methods such as Hell’s Gate and ETW patching to circumvent detection mechanisms.

The final payload is RemotePE – a full-featured remote access trojan written in C++ that periodically connects to the C2 server. The malware can process six different command categories and allows attackers, among other things, to modify the C2 configuration.

Share on: