The North Korea-linked Lazarus Group — one of the most prolific and financially motivated nation-state threat actors in operation — is deploying a new cross-platform malware called RemotePE that runs entirely in memory, leaving no files on disk and severely limiting the artifacts available for forensic investigation. NCC Group's subsidiary Fox-IT documented the toolset in a technical report published May 22, 2026, detailing a multi-stage attack chain that includes two loaders — DPAPILoader and RemotePELoader — before delivering the final-stage RAT (Remote Access Trojan — malware that gives an attacker persistent, interactive control over a compromised machine). The campaign targets financial institutions and cryptocurrency organizations, consistent with Lazarus's well-documented focus on financial theft to fund North Korea's weapons programs.
// 01 RemotePE: Technical Details
RemotePE is part of a three-stage malware chain designed specifically to evade endpoint detection and forensic recovery. The stages are:
Stage 1 — DPAPILoader: The initial loader, DPAPILoader, is responsible for decrypting and loading the second stage. It uses the Windows DPAPI (Data Protection API — a Windows operating system feature that encrypts data using keys derived from the current user's credentials, meaning the encrypted data can only be decrypted on the same machine by the same user account) to decrypt an encrypted blob stored on disk. This technique ties the encrypted payload to the victim machine's identity, making offline analysis of the encrypted blob impractical without the victim's credentials. Once decrypted, DPAPILoader loads RemotePELoader into memory.
Stage 2 — RemotePELoader: RemotePELoader does not execute the final payload immediately. Instead, it establishes a connection to a command-and-control (C2) server and beacons — sending periodic check-in requests — until the attacker is ready to deliver the next stage. This actor-in-the-loop delivery model (where a human operator monitors incoming beacons and manually delivers the next stage rather than automating the full chain) prevents automated sandbox analysis tools from triggering the final payload, since they typically time out waiting for C2 responses.
Stage 3 — RemotePE: Once the attacker decides to proceed, RemotePELoader receives the RemotePE payload over the C2 channel and executes it directly in memory using a technique known as reflective PE loading (loading a Windows executable from memory without writing it to disk, bypassing file-based antivirus scanning). RemotePE never touches the filesystem, which means standard file integrity monitoring, antivirus scanners, and post-incident forensic disk imaging will not find it. RemotePE is a full-featured RAT providing interactive command execution, file transfer, and persistent remote control.
Neither RemotePELoader nor RemotePE appeared on VirusTotal (the industry's largest multi-engine malware scanning platform, used to assess whether a file is detected by commercial endpoint security tools) prior to Fox-IT's publication. The zero detection rate indicates the toolset was not previously shared, leaked, or encountered by endpoint security vendors — a strong indicator it is reserved for high-value targets where operational security and stealth are priorities.
// 02 Exploitation Status and Threat Landscape
Fox-IT attributes RemotePE to a Lazarus Group subgroup based on code similarities, infrastructure overlaps, and targeting patterns consistent with prior Lazarus campaigns against the financial sector. The Lazarus Group (a North Korean state-sponsored threat actor tracked by the cybersecurity community since at least 2009, believed to operate under the direction of the Reconnaissance General Bureau of the Korean People's Army) has been responsible for the theft of billions of dollars in cryptocurrency through exchange hacks, DeFi protocol exploits, and social engineering of developers.
RemotePE was first observed in September 2025 in an attack against an unnamed organization in the DeFi (Decentralized Finance — blockchain-based financial services that operate without centralized intermediaries such as banks) sector, where Lazarus deployed three malware families simultaneously: PondRAT, ThemeForestRAT, and RemotePE. The May 2026 report documents continued and expanded use of RemotePE as a standalone tool in a new wave of intrusions.
The actor-in-the-loop delivery model used here is operationally significant. Automated threat detection tools, sandbox environments, and phishing simulation platforms generally fail against it because they do not receive the final payload — the human operator simply does not send it. This technique has been observed in other Lazarus campaigns and reflects the group's sophisticated operational security practices honed over years of high-profile intrusions.
MITRE ATT&CK technique T1055 (Process Injection — injecting code into the memory space of a running process to execute malicious code while appearing to be a legitimate process) and T1620 (Reflective Code Loading — loading code from memory without writing it to disk) are both relevant to the RemotePE deployment method.
// 03 Who Is Affected
The campaign specifically targets financial institutions and cryptocurrency organizations. Based on the September 2025 precursor activity, DeFi platforms and cryptocurrency exchanges are high-priority targets. The broader financial sector — investment firms, banks with cryptocurrency exposure, trading platforms, and fintech companies — should also treat this as a current threat.
The initial infection vector (how RemotePE first reaches a target's systems) has not been definitively confirmed in the current campaign, but prior Lazarus operations against financial targets have used spear-phishing emails with malicious documents, fake job offers sent via LinkedIn and Telegram, and trojanized open-source developer tools. Security teams at organizations matching this targeting profile should actively hunt for indicators of compromise associated with this toolset.
// 04 What You Should Do Right Now
- Hunt for DPAPILoader and RemotePELoader indicators. The Fox-IT report provides YARA rules and network indicators of compromise (IoCs). Deploy these across your EDR (Endpoint Detection and Response) platform and network monitoring tools. The Fox-IT blog post contains the technical IoCs.
- Monitor for unusual DPAPI usage. Legitimate applications use Windows DPAPI for credential storage, but execution of DPAPI decryption within a new or unexpected process on a developer or finance workstation warrants investigation. EDR telemetry showing
CryptUnprotectDatacalls from unsigned or recently created executables should be flagged. - Look for unsigned PE loading in memory. Endpoint security products with memory scanning capabilities should be configured to alert on reflective PE loading patterns — specifically, instances where PE headers appear in process memory without a corresponding file on disk.
- Monitor for unexpected outbound connections to non-standard ports. RemotePELoader's C2 beacon represents the first external contact. Anomaly-based network detection that baselines normal outbound traffic from developer and finance workstations will surface unexpected C2 check-ins.
- Apply principle of least privilege to financial system access. Ensure that workstations used for cryptocurrency custody, exchange operations, or financial transaction approval have strict network segmentation and cannot reach arbitrary internet destinations.
- Brief your team on Lazarus social engineering tactics. Initial access in Lazarus campaigns frequently involves LinkedIn messages offering high-paying jobs or Telegram-based developer outreach. Employees in financial and crypto organizations should know to treat unexpected developer job offers or freelance contracts with high suspicion.
// 05 Background: Understanding the Risk
The Lazarus Group's financial targeting is not opportunistic — it is strategic. The United Nations has estimated that North Korea has stolen over $3 billion in cryptocurrency since 2017, with proceeds funding the country's ballistic missile and nuclear programs. Unlike financially motivated cybercriminal groups that may negotiate or move on after a failed intrusion, Lazarus operates with nation-state patience and resources: they will wait weeks for an actor-in-the-loop delivery window, maintain persistent access for months, and invest in custom tooling specifically to avoid detection in high-value environments.
The memory-only execution model is a direct response to the improvement of endpoint detection tools over the past five years. As EDR platforms became better at detecting malicious files on disk, Lazarus invested in techniques that keep payloads entirely in volatile memory. This arms race means that defenses relying primarily on file-based detection — traditional antivirus and signature-based tools — are increasingly insufficient against this tier of threat actor.
The cross-platform nature of RemotePE (the name hints at its design as a generic remote execution framework rather than a Windows-only implant) suggests the group may be developing or already deploying Linux and macOS variants, consistent with the increasing presence of Linux and macOS in financial and cryptocurrency infrastructure.
Previous Lazarus malware families including PondRAT and ThemeForestRAT established the group's pattern of deploying multiple simultaneous implants to ensure persistence even if one is discovered and removed. RemotePE's role as the memory-only final stage suggests it is the high-value payload reserved for the most sensitive targets within an already-compromised environment.
// 06 Conclusion
RemotePE represents a mature and well-resourced offensive toolset from a threat actor with a demonstrated track record of stealing hundreds of millions of dollars from financial and cryptocurrency targets. Organizations in the financial sector — particularly those with cryptocurrency exposure — should treat this campaign as an active threat, hunt for the published IoCs, and ensure their endpoint defenses extend beyond file-based detection to include memory scanning and behavioral analytics.
For any query contact us at contact@cipherssecurity.com