Lazarus RemotePE: Inside the Memory-Only RAT Targeting Crypto and Financial Firms
Table des matières
A subgroup of the North Korea-linked Groupe Lazarus has been running a memory-only remote access trojan called RemotePE against financial and cryptocurrency targets, with Fox-IT (NCC Group) publishing the detailed technical breakdown on 22 May 2026. The intrusion begins on Telegram, where operators pose as employees of trading firms and walk targets through fake Calendly or Picktime scheduling pages before any malware is ever delivered. Once the chain executes, the final payload runs entirely in RAM and leaves no recoverable filesystem artifacts, and at the time of the disclosure neither RemotePELoader nor RemotePE had appeared on VirusTotal. The toolset combines DPAPI environmental keying with HellsGate direct syscalls and ETW patching, which together neutralise most of what commercial EDR products rely on to spot something this quiet.
Quick facts
| Field | Detail |
|---|---|
| Threat actor | Lazarus subgroup; overlaps with AppleJeus, Citrine Sleet, UNC4736, Gleaming Pisces |
| First documented | September 2025 (Fox-IT) |
| Detailed disclosure | 22 May 2026 (Fox-IT / NCC Group) |
| Malware type | Memory-only Remote Access Trojan |
| Chain | DPAPILoader, RemotePELoader, RemotePE |
| Accès initial | Telegram social engineering, fake Calendly / Picktime scheduling lures |
| Persistance | Windows service masquerading as “Internet Authentication Service” |
| Key evasion | DPAPI environmental keying, HellsGate (TartarusGate) syscalls, ETW patching |
| C2 hosting | Namecheap shared hosting |
| Cibles primaires | Cryptocurrency exchanges, DeFi, financial services |
What is RemotePE?
RemotePE is the final payload in a memory-only toolchain that a Lazarus subgroup has been refining against financial and cryptocurrency organisations since at least mid-2023. Researchers Yun Zheng Hu and Mick Koomen of Fox-IT (NCC Group) published the full technical breakdown on 22 May 2026, building on a more limited disclosure from the same team in September 2025. Observed sample timestamps span July 2023 through May 2024, which suggests sustained development across multiple incident response engagements rather than a one-off campaign.
What sets RemotePE apart from earlier Lazarus malware is what defenders cannot find after the fact. The RAT never touches disk, so forensic imaging of a compromised host will not recover it, and the loaders that bring it into memory are encrypted in a way that makes them effectively useless if extracted and analysed elsewhere. Fox-IT links the activity to a Lazarus subgroup whose tradecraft overlaps with several previously documented clusters, including AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces, all of which share a documented focus on cryptocurrency and financial sector revenue generation for the North Korean regime.
The three-stage attack chain
What is critical to know is how the intrusion runs through three components that work as a coordinated unit, with each stage gating access to the next.
DPAPILoader is the on-disk anchor of the chain. In the case Fox-IT investigated most thoroughly, it was installed as C:\Windows\System32\Iassvc.dll under a Windows service called “Internet Authentication Service”, a deliberate masquerade of the genuine Microsoft IAS service whose real DLL is iassvcs.dll (note the extra “s” in the legitimate filename). The loader’s payload on disk is encrypted using the Windows Data Protection API and then XORed with the constant byte 0x8D, which means the file is bound cryptographically to the specific Windows user account it was dropped onto. Move that file to any other machine and it is just opaque bytes.
RemotePELoader sits one step deeper. DPAPILoader decrypts it, brings it into memory, and hands off control, at which point RemotePELoader’s job becomes fetching the next stage from a command-and-control server. Before reaching out to the C2 it spends its first cycles dismantling whatever endpoint telemetry might otherwise watch what comes next, combining HellsGate direct syscalls with ETW patching (both covered in more detail below). Only then does it begin polling the operator’s infrastructure for a payload.
RemotePE itself is the RAT. It arrives over HTTPS in AES-GCM encrypted form, gets loaded reflectively into memory by the open-source libpeconv library, and exposes six command categories to the operator. Those cover configuration, console execution, file operations, process management, timing controls, and a plugin system that lets the operator register additional DLL modules at runtime, again without anything being written to disk. The configuration RemotePE reads is shared with RemotePELoader, which keeps both components in sync after operator updates and after host reboots.
There is also a deliberate integrity check built into the handoff: RemotePELoader and RemotePE both verify they were loaded by the previous stage by checking that lpReserved == 0x1000 in DllMain. A clean copy of either binary extracted in isolation will not execute, which limits what researchers can do with samples recovered outside the full chain.
How victims are compromised: the Telegram social engineering chain
Calling this campaign a phishing operation undersells what is actually happening, and it points defenders at the wrong user awareness training. Fox-IT’s incident response observations, corroborated by separate reporting from several other security vendors, describe a far more patient social engineering chain that plays out on Telegram over a series of professional-seeming exchanges before any malware is delivered.
The operator opens by impersonating an employee of a trading firm, investment fund, or DeFi platform, often with a plausible enough profile to survive a casual identity check. After some back-and-forth that establishes the cover, the conversation moves toward scheduling a call, and the target receives a link to what looks like a Calendly or Picktime page. Both are real, widely used scheduling tools, which is the point: the fake versions look enough like the real ones that even a careful employee may not stop to question them. The first malware component reaches the host once the target engages with the fake scheduling platform, and from there the technical phase of the intrusion takes over.
Security-aware employees trained to spot suspicious attachments and spelling errors are not really the audience this campaign is designed to defeat. The victim here is not opening a strange file from a stranger; they are responding to what feels like an ordinary professional interaction with someone in their industry. That credibility is consistent with this Lazarus subgroup’s longer history of running extended social engineering operations on professional and chat platforms against employees of trading and crypto organisations.
Why this toolset defeats traditional EDR
Several design choices in the toolset reinforce each other to neutralise the detection paths most enterprises actually rely on. The cumulative effect is harder than the sum of the parts.
DPAPI environmental keying is the foundation. Because the encrypted payload on disk is tied to the victim’s Windows user account, anyone trying to analyse it elsewhere is locked out without the victim’s DPAPI keys. Static analysis cannot decrypt it, sandbox runs return nothing meaningful, and each victim’s payload produces a unique hash, so even sample-sharing between organisations does not yield reusable indicators. Memory-only execution of the final stage compounds the problem, since RemotePE itself never lands on disk, and forensic imaging of a compromised host returns the loaders but not the RAT they ultimately delivered. Reboot does not break access either, because DPAPILoader persists as a Windows service and reloads the chain when the host comes back online.
The two runtime evasion techniques work the same way, but against live defences rather than after-the-fact analysis. HellsGate (specifically the TartarusGate variant) lets RemotePELoader resolve Windows syscall numbers at runtime by scanning ntdll.dll for syscall stubs, and then remap each loaded DLL from the kernel-maintained \KnownDlls section. That remapping quietly replaces any in-memory copies that EDR products have hooked with clean originals, which unhooks userland security product instrumentation across the entire process. ETW patching closes the remaining gap: a two-instruction overwrite of EtwEventWrite (XOR RAX, RAX; RET) makes the function return zero immediately, suppressing all Event Tracing for Windows events from that process. Plenty of commercial EDR products depend on ETW telemetry for visibility, and once that source is dry, they are essentially watching nothing.
The detection numbers reflect this. At the time of Fox-IT’s publication, neither RemotePELoader nor RemotePE appeared on VirusTotal at all, an unusually low profile that says more about the toolset’s restricted use against high-value targets than it does about the quality of any single vendor’s detection.
Attribution and operator behaviour
Fox-IT assesses attribution to this Lazarus subgroup with high confidence, and the supporting evidence comes from several independent directions. The tradecraft overlaps with multiple previously documented clusters, including AppleJeus (Kaspersky), Citrine Sleet (Microsoft), UNC4736 (Google / Mandiant), and Gleaming Pisces (Palo Alto Unit 42), and all of them have established histories of targeting financial and cryptocurrency organisations on behalf of the North Korean regime.
The C2 itself is operator-gated rather than automated. Sessions only return a payload when a human operator chooses to deliver one, which means much of the polling traffic Fox-IT observed came back empty. That gating model is not what an actor uses when they want to maximise volume; it is what they use when each target has been chosen carefully and the goal is long-term stealthy access rather than opportunistic compromise.
Defender guidance in a snapshot: what exactly to look for
File-based signatures are the wrong primary tool against this toolset, and any detection strategy that leans on them will struggle. Environmentally keyed loaders and a memory-only final payload push the centre of gravity toward host-based behavioural detection and toward network indicators tied to the operator infrastructure.
On the host side, DPAPI-encrypted blobs in unexpected directories are one of the more reliable starting points. In the cases Fox-IT documented, payloads were stored under C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US*.*, though the path is configurable and will vary between deployments. DLLs masquerading as legitimate Windows services warrant scrutiny as well, since the Iassvc.dll masquerade is now a documented pattern and similar service-name impersonation should be treated with suspicion as a class of behaviour rather than as a one-off indicator. Sideloaded DLLs appearing in unexpected host processes deserve attention too: one observed sample was loaded inside ESET’s edp.exe, an unlikely host for anything malicious if you are not looking carefully. RemotePE itself also checks for the existence of a named Windows event with the GUID 554D5C1F-AABE-49E4-AB57-994D22ECED28, which is used as an out-of-band wake signal and which neither RemotePE nor the loaders create themselves, so any process that touches that event name without producing it is worth investigating.
On the network side, DNS queries and TLS SNI fields matching the C2 domains documented by Fox-IT remain the most actionable detection path. HTTP traffic carrying the toolset’s distinctive cookie fields (MicrosoftApplicationsTelemetryDeviceId, armAuthorization, ai_session, at_check) is also detectable, though it mimics legitimate Microsoft telemetry traffic closely enough that detection rules need careful tuning to avoid drowning the SOC in false positives. The fact that the operators use Namecheap shared hosting also gives defenders a useful pivot, since fingerprinting that infrastructure has surfaced additional C2 servers tied to the same cluster.
Behaviourally, the techniques worth hunting for include reflective PE loading via libpeconv, userland API hook removal via \KnownDlls remapping, and the specific ETW patching pattern in which EtwEventWrite is modified to return zero. YARA rules and additional technical detail are available in the Fox-IT publication, which is the right starting point for any team building hunting queries around this activity.
How CybelAngel helps
CybelAngel’s Dark Web Monitoring and Credential Intelligence modules continuously surveil underground forums, marketplaces, and chat platforms, Telegram included, where Lazarus operators stage the social engineering operations that lead to intrusions like this one. Our Attack Surface Management product maps the external exposure that gives threat actors the context they need to build credible lures against your employees in the first place, since long-form social engineering of the kind described above relies on detailed reconnaissance before any conversation begins.
For organisations operating in financial services or digital assets, our REACT team provides threat intelligence briefings and takedown support across clear and dark web sources, with particular focus on the underground infrastructure used by state-sponsored actors.
FAQ
RemotePE is a memory-only remote access trojan attributed to a North Korean Lazarus subgroup, and it sits at the end of a three-stage chain that begins with DPAPILoader and RemotePELoader. The RAT runs entirely in RAM, never writes to disk, and uses HellsGate direct syscalls together with ETW patching to evade endpoint detection. Fox-IT (NCC Group) published the detailed technical breakdown on 22 May 2026.
Initial access does not come from generic phishing email, which is one of the more important misconceptions to correct about this campaign. Fox-IT and corroborating reporting describe a social engineering operation on Telegram in which operators impersonate employees of trading firms and walk targets toward fake Calendly or Picktime scheduling pages. The DPAPILoader reaches the host once the target engages with the fake platform, at which point the technical phase of the intrusion begins.
Neither RemotePELoader nor RemotePE had appeared on VirusTotal at the time of Fox-IT’s May 2026 publication. Two of the three observed DPAPILoader samples were uploaded, but neither can be meaningfully analysed without the victims’ DPAPI keys, which are required to decrypt the payload they contain. That detection gap is a direct consequence of the toolset’s DPAPI environmental keying rather than a deficiency in commercial scanning.
Fox-IT documented seven domains used by the RemotePE C2 infrastructure, all hosted on Namecheap shared hosting at the time of the report. Several of those domains were still active when the research was published. The full list, including first-seen and last-seen timestamps for each domain, is available in the Fox-IT publication.
The same Lazarus subgroup previously deployed PondRAT and ThemeForestRAT, and RemotePE represents a deliberate move away from both toward something quieter and harder to recover. The toolset combines DPAPI environmental keying (so samples cannot be analysed off the victim’s machine) with in-memory final-stage execution (so the RAT leaves no filesystem artifacts), HellsGate direct syscalls (which bypass userland API hooks), and ETW patching (which suppresses endpoint telemetry). All of these techniques exist in the wild individually, but using them together in a single coordinated chain is what marks the evolution in tradecraft for this actor.
Signature-based detection is largely ineffective against this toolset, so defender effort is better spent on behavioural and host-based approaches. The most productive detection paths include behavioural detection of reflective PE loading and userland hook removal, ETW patching detection, network detection based on the documented C2 domains and the toolset’s distinctive cookie fields, and host-based indicators such as the Iassvc.dll service masquerade and DPAPI-encrypted files appearing in unexpected directories. The Fox-IT publication also includes YARA rules that defenders can use as a starting point for hunting.
Sustained financial pressure on the North Korean regime has consistently pushed Lazarus operations toward revenue-generating cybercrime, and the cryptocurrency sector offers a particularly efficient revenue channel. Cryptocurrency exchanges and DeFi platforms make attractive targets because stolen assets can be moved through mixing services and across multiple wallets without the friction that comes with laundering traditional fiat. Chainalysis has attributed some of the largest cryptocurrency theft incidents on record to North Korea-linked groups over the past several years.
