Cybersecurity researchers have uncovered a new fileless remote access trojan (RAT) named RemotePE, actively used by the North Korea-linked Lazarus Group to infiltrate banks and cryptocurrency firms. The malware operates entirely in memory, leveraging a three-stage chain that begins with social engineering on Telegram where attackers impersonate trading firm employees. Victims are lured into scheduling meetings via fake Calendly and Picktime interfaces, initiating an infection sequence designed to leave minimal traces on compromised systems.
The attack chain starts with a DPAPILoader DLL (tracked as Iassvc.dll since November 2023), which decrypts a payload using the Windows Data Protection API. Next, RemotePELoader establishes contact with a command-and-control server at aes-secure[.]net, employing Hell’s Gate and ETW Patching to bypass endpoint detection. The final stage, RemotePE, is downloaded directly into memory without ever touching the disk. First spotted in September 2025, the malware has already been used alongside PondRAT and ThemeForestRAT to compromise a decentralized finance (DeFi) firm.
According to Fox-IT (part of NCC Group), RemotePE’s stealthy design—environmental keying, memory-only execution, and anti-EDR techniques—suggests it is built for long-term espionage before executing high-value heists. Data from TRM Labs shows Lazarus Group stole $577 million in cryptocurrency during the first four months of 2026, accounting for 76% of all crypto thefts globally and bringing their total haul since 2017 to over $6 billion. These funds are believed to finance North Korea’s weapons and nuclear programs, intensifying existing sanctions.
