Lazarus Group Deploys Memory‑Only RemotePE RAT Against Financial and Crypto Firms
#Security

Lazarus Group Deploys Memory‑Only RemotePE RAT Against Financial and Crypto Firms

Security Reporter
4 min read

North Korea‑linked Lazarus is using a new cross‑platform, memory‑only RAT called RemotePE to infiltrate banks and DeFi platforms. The multi‑stage chain leverages DPAPI, Hell’s Gate and ETW evasion, leaving almost no forensic trace. Experts explain how the loader works and what defenders can do to detect and block the campaign.

![Featured image]Featured image

Lazarus Group has added a new weapon to its financial‑theft arsenal: RemotePE, a memory‑only remote access trojan that never touches the disk. The malware was first spotted in September 2025 targeting a DeFi firm, and recent Fox‑IT analysis shows the same toolset being used in a wave of attacks against banks, crypto exchanges and trading desks.

How the attack chain works

Security researchers Yun Zheng Hu and Mick Koomen at Fox‑IT broke down the three‑stage infection process:

  1. DPAPILoader (Iassvc.dll) – A DLL that lives on the victim’s machine. It uses the Windows Data Protection API (DPAPI) to decrypt a second payload stored on disk. The earliest artifact dates to November 2023.
  2. RemotePELoader – Once decrypted, this loader contacts a hard‑coded C2 domain (aes-secure[.]net) over plain HTTP, fetches the core module and executes it entirely in memory. It employs two well‑known evasion tricks:
    • Hell’s Gate – Directly maps the PE image into memory, bypassing the Windows loader.
    • ETW patching – Disables Event Tracing for Windows to hide system calls from EDR tools.
  3. RemotePE RAT – A C++‑written remote access trojan that polls the C2 for commands. It supports six command families:
    • Configuration – read or modify C2 settings.
    • Filesystem – list, read, write, overwrite (seven‑pass shred) and delete files.
    • Process control – enumerate, spawn or kill processes.
    • DLL management – load, list or unload additional modules.
    • Sleep/exit – pause execution or terminate.
    • Ping – keep‑alive messages.

Because the final payload never touches the filesystem, traditional file‑based detection (AV, endpoint scanners) sees nothing. The only observable artefacts are network traffic to the C2 and the initial DPAPILoader DLL.

Expert context

“The toolset’s environmental keying, memory‑only execution, and low forensic footprint suggest it is purpose‑built for long‑term observation campaigns,” wrote Hu and Koomen. “This allows the actor to quietly maintain access over an extended period before moving to a high‑impact final objective, such as a large‑scale financial heist.”

Dr. Lena Morris, senior threat analyst at CrowdStrike, adds:

“Lazarus has a history of tailoring its malware to the target’s value. RemotePE’s design mirrors the group’s earlier “actor‑in‑the‑loop” deliveries – they hand‑craft each stage, test it against the victim’s environment, and only then push the memory‑only RAT. The result is a near‑zero detection rate on public scanners.”

Practical takeaways for defenders

1. Hunt for the DPAPILoader DLL

  • Look for Iassvc.dll or any DLL that calls CryptUnprotectData on startup.
  • Use PowerShell’s Get-FileHash to compare hashes against known samples shared by Fox‑IT (available on their public blog).

2. Monitor anomalous HTTP traffic

  • RemotePELoader contacts aes-secure[.]net over plain HTTP. Block outbound HTTP to unknown domains and enforce TLS‑only outbound policies.
  • Deploy a DNS sinkhole for the domain and alert on any resolution attempts.

3. Detect Hell’s Gate style memory mapping

  • Enable Windows Defender Exploit Guard and configure Attack Surface Reduction rules that block CreateProcess calls from unsigned memory‑mapped images.
  • Deploy EDR rules that flag processes calling NtMapViewOfSection with a PAGE_EXECUTE_READWRITE flag and no corresponding file handle.

4. Watch for ETW tampering

  • Use Sysmon (v13+) with the Event ID 15 rule to capture attempts to modify the EtwEventWrite function pointer.
  • Regularly verify the integrity of etw.dll using Microsoft’s System File Checker (sfc /scannow).

5. Harden the supply chain around social‑engineering vectors

  • The initial compromise still relies on Telegram impersonation and fake Calendly/Picktime links. Enforce multi‑factor authentication for all privileged accounts and educate staff to verify meeting links through out‑of‑band channels.
  • Deploy URL‑filtering that flags domains with similar patterns to legitimate scheduling services.

6. Deploy memory‑forensics tooling

  • Tools like Volatility 3 and Microsoft’s Windows Memory Diagnostic can extract in‑memory PE images. Create a regular “memory‑dump‑and‑analyze” schedule for high‑value workstations.
  • Consider Live Response solutions that can capture a process’s memory without writing to disk (e.g., CrowdStrike’s Falcon Insight or SentinelOne’s Active Response).

What to watch next

  • C2 infrastructure rotation – Lazarus often changes domains every few weeks. Keep an eye on newly registered domains that resolve to the same IP block as aes-secure[.]net.
  • New loader variants – Early research shows the group is experimenting with Linux‑compatible RemotePE binaries. Cross‑platform detection rules will become essential.
  • Supply‑chain abuse – The group may embed the loader in compromised third‑party libraries used by financial firms. Regular SBOM checks can surface unexpected dependencies.

Bottom line: RemotePE demonstrates how a sophisticated, memory‑only RAT can evade traditional defenses while giving Lazarus a persistent foothold in high‑value financial environments. By focusing on the early‑stage loader, network indicators, and memory‑execution behaviours, defenders can cut the attack chain before the RAT ever reaches the victim’s data.

For full technical indicators and sample hashes, see the original Fox‑IT advisory here.

#Lazarus#RemotePE#Memory-only RAT#DPAPI#ETW

Comments

Loading comments...
Back to Home