RemotePE Shows Lazarus Is Still Playing the Long Game

Fox-IT links Lazarus to a memory-only RAT used against financial and crypto targets, with staged loaders, EDR evasion, and social engineering at the front

2026-05-26 GIGATAP Team #security
#Lazarus#RemotePE#Threat Intelligence

North Korea-linked Lazarus operators have been tied to a cross-platform remote access trojan called RemotePE, used in attacks against financial and cryptocurrency organizations. The useful detail is not only the victim profile. It is the operating model: social engineering to get onto an employee device, staged loaders, memory-only execution, EDR evasion, and a low forensic footprint.

That combination points to a tool built for long observation windows. Not smash-and-grab malware. Access first. Patience after.

What Fox-IT says Lazarus deployed#

The reporting is based on research from Fox-IT, an NCC Group subsidiary, and covered by The Hacker News. Fox-IT links RemotePE to a multi-stage attack chain involving two loaders: DPAPILoader and RemotePELoader.

The sequence is deliberate. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API, or DPAPI. RemotePELoader then contacts command-and-control infrastructure and waits for the next stage. That next stage is RemotePE, a RAT executed entirely in memory and never written to disk.

That matters because defenders often rely on filesystem artifacts to reconstruct what ran, where it landed, and what persisted. A memory-only payload does not make the intrusion invisible, but it removes one of the cleaner forensic paths. The defender has to lean harder on telemetry, network traces, process behavior, memory capture, and timeline reconstruction.

Fox-IT says it saw this toolset in September 2025 during an attack on an unnamed DeFi-sector organization. That intrusion reportedly began with social engineering against an employee. The attacker approached the victim on Telegram while pretending to be an existing employee of a trading company, then moved the target toward fake Calendly and Picktime domains to schedule a meeting.

The initial access story is familiar because it works. Crypto and financial firms often harden cloud and wallet infrastructure while leaving employee trust workflows exposed: chats, meetings, recruiting-style outreach, vendor introductions, and calendar links. Lazarus has repeatedly used that gap.

The attack chain is built to reduce evidence#

RemotePE’s infection flow has three main stages.

First, DPAPILoader appears as a DLL named “Iassvc.dll” and decrypts an encrypted payload from disk using DPAPI. Fox-IT says the earliest DPAPILoader artifact dates back to November 2023.

Second, the decrypted payload, RemotePELoader, reaches out over HTTP to a remote server listed in the reporting as “aes-secure[.]net.” Its job is to fetch the core module and execute it in memory. Before that, it uses evasion techniques, including ETW patching. Event Tracing for Windows is one of the telemetry sources defenders use to observe suspicious behavior. Patching it is not a magic cloak, but it is a clear signal about the operator’s priorities.

Third, the final payload, RemotePE, runs as a C++ remote access trojan. It polls its command-and-control server for instructions and supports command categories that include C2 configuration changes, working directory changes, DLL module registration and unloading, process listing and process control, sleep and exit behavior, and file operations.

One file deletion behavior stands out. The command overwrites each file with constant bytes seven times before renaming and deleting it. Fox-IT notes that this pattern has also been observed in PondRAT and POOLRAT, also known as SIMPLESEA. RemotePE is assessed as a lightweight version of POOLRAT.

That overlap is not proof by itself of every operational link a reader might want to infer. But it is meaningful tradecraft evidence. Shared deletion patterns, related loaders, and victim targeting all help analysts map tool families and operator habits without pretending that one artifact tells the whole story.

Why memory-only RemotePE matters#

The obvious answer is detection. A RAT that never lands as a final-stage file is harder to catch with basic file scanning and harder to analyze after the fact. But the more important answer is dwell time.

Fox-IT’s assessment is that environmental keying, memory-only execution, EDR evasion, and a low forensic footprint suggest a toolset purpose-built for long-term observation campaigns. That is the right reading of the technique. RemotePE is not optimized for noisy mass deployment. It appears suited for selected targets where access itself is valuable.

For financial and crypto organizations, the risk is not limited to immediate data theft. Long-running access can let an actor watch internal workflows, identify approval chains, learn wallet operations, observe engineering systems, and wait for a higher-value moment. In this sector, the final objective may be theft, but the preparation phase can look like quiet admin activity unless the environment is instrumented well.

The VirusTotal detail supports that reading. According to Fox-IT, neither RemotePELoader nor RemotePE appeared on VirusTotal before the publication. That does not prove the malware was rare everywhere. It does suggest the samples were not widely burned in public scanning pipelines, which is consistent with actor-in-the-loop delivery against higher-value targets.

Fox-IT obtained four RemotePE samples and says they indicate active development between mid-2023 and mid-2024. The first version reportedly has a compilation timestamp of July 4, 2023. Compilation timestamps can be manipulated, so they should not be treated as perfect chronology. Still, combined with artifact history and observed use, the timeline supports a toolset that matured before the 2025 DeFi intrusion described in the reporting.

What defenders should take from this#

The first practical lesson is that calendar and messaging workflows are part of the attack surface. The reported intrusion began outside the endpoint: Telegram contact, impersonation, fake scheduling domains, then device compromise. Security teams in crypto and finance should treat “meeting setup” as a real intrusion path, not a soft awareness topic.

Useful checks include:

  • Review telemetry for connections to suspicious scheduling lookalike domains, especially those imitating Calendly or Picktime workflows.
  • Investigate unusual DLL loading patterns, particularly around files masquerading as legitimate Windows service DLLs.
  • Hunt for processes that patch or interfere with ETW and other local telemetry sources.
  • Correlate HTTP beaconing with process ancestry, not only domain reputation.
  • Build response playbooks that assume final-stage payloads may be memory-resident and absent from disk.

The second lesson is that endpoint controls need validation against staged loading, not just known malware names. DPAPI use is legitimate in Windows environments. HTTP callbacks are common. DLL loading is common. The detection value comes from the chain: where the DLL came from, what decrypted, what process loaded it, what telemetry changed, and what network behavior followed.

The third lesson is scope discipline. Do not overclaim from this reporting that every financial or crypto firm is seeing RemotePE, or that RemotePE is the only Lazarus tool in play. The better claim is narrower and stronger: Fox-IT has documented a Lazarus-linked toolchain used against financial and crypto targets where stealthy access and low artifacts appear central to the operation.

The strategic read#

RemotePE fits Lazarus’ broader pattern: high-touch social engineering, tailored malware, and financial targeting. The notable part is not novelty for its own sake. It is the match between technique and objective.

A memory-only RAT with loader staging and evidence-reduction behavior is expensive compared with commodity malware. Operators tend to reserve that cost for targets worth waiting on. In crypto and finance, that means defenders should look less for one dramatic exploit and more for a quiet chain of small trust failures: a believable message, a meeting link, a loader, a beacon, then weeks of patient access.

That is where this report has operational value. It reminds defenders that the first visible compromise may not be the first meaningful failure. The attacker may already have studied the human workflow before any malware runs.