Lazarus Group Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms

Fox-IT (NCC Group) disclosed RemotePE, a cross-platform, memory-only remote access trojan attributed to North Korea’s Lazarus Group. The malware targets financial and cryptocurrency organizations via a multi-stage attack chain.

Two loaders — DPAPILoader and RemotePELoader — handle decryption and in-memory execution, keeping the final payload off disk to evade traditional endpoint detection. Financial and crypto firms should review EDR telemetry for anomalous in-memory execution patterns and DPAPI decryption activity.