According to Cryptopolitan on May 26, network security analysts found a new fileless remote access trojan (RAT) named RemotePE, associated with North Korea’s Lazarus Group, which is using it to attack banks and cryptocurrency companies. RemotePE runs entirely in memory, without touching the file system, making it extremely difficult for traditional antivirus and forensics tools to detect.
RemotePE’s three-stage attack chain: a confirmation mechanism that never touches the file system
RemotePE executes through three interconnected stages, with the entire process never touching the file system:
Stage 1 - DPAPILoader: Dynamically linked library (DLL; since November 2023 the file name has also been Iassvc.dll), using Windows DPAPI to decrypt the payload on the disk
Stage 2 - RemotePELoader: Establishes an HTTP connection with the C2 server of aes-secure[.]net; uses the Hell’s Gate technique and ETW patching to bypass EDR solutions
Stage 3 - RemotePE: The main payload downloads and executes in memory, never touching the file system
A DeFi company confirmed it was hit by continuous attacks from three types of RATs: RemotePE, PondRAT, and ThemeForestRAT.
Social engineering tactics: posing as employees of a trading company
The attackers impersonate employees of a trading company via Telegram, using forged Calendly and Picktime to schedule meetings for social engineering attacks; after obtaining meeting approval, they initiate the three-stage malicious software installation chain. Fox-IT noted that this “human intervention” approach allows attackers to design tailored lures for specific targets.
Lazarus Group 2026 theft stats: TRM Labs confirms the data
TRM Labs confirmed that in the first four months of 2026, Lazarus Group stole about $577 million in cryptocurrency assets through just two major incidents, accounting for 76% of the total global crypto theft in 2026. The share of hacker attacks linked to North Korea rose from the single digits in previous years to 64% in 2025 and 76% in 2026; since accumulating about $6 billion stolen since 2017, these funds are reportedly used for North Korea’s weapons and nuclear weapons R&D under sanctions.
Frequently Asked Questions
What is the core difference between RemotePE and a typical RAT?
RemotePE’s core feature is pure in-memory execution (no file drop), and all three execution stages do not touch the file system, making traditional file-scanning-based antivirus software and forensics tools difficult to detect. Fox-IT’s analysts noted that this design is intended to enable long-term stealth for reconnaissance, rather than short-term disruption.
How does Stage 2 RemotePELoader bypass EDR solutions?
RemotePELoader uses the Hell’s Gate technique and ETW patching to bypass endpoint detection and response (EDR) solutions. These techniques modify the system event tracing mechanism and directly invoke system calls, avoiding API hook monitoring by EDR.
How are the stolen funds from Lazarus Group tracked?
TRM Labs is the primary blockchain analytics company tracking Lazarus Group’s on-chain activity, confirming the theft statistics of about $577 million in the first four months of 2026, as well as the record of about $6 billion accumulated since 2017. For the specific tracking approach, refer to TRM Labs’ original report.
