Lazarus Uses Memory-Only RemotePE RAT in Attacks on Financial and Crypto Firms

Researchers from Fox-IT have detailed a sophisticated malware framework called RemotePE used by the North Korea-linked Lazarus Group in attacks against financial and cryptocurrency organizations. The multi-stage attack chain employs loaders known as DPAPILoader and RemotePELoader to decrypt and execute a memory-only remote access trojan entirely in RAM, minimizing forensic traces and evading endpoint detection tools. The campaign begins with social engineering on platforms such as Telegram and uses advanced evasion techniques, including ETW patching and in-memory execution, to maintain stealthy long-term access. Researchers believe the malware is designed for prolonged observation and high-value financial operations, aligning with Lazarus Group’s history of targeting cryptocurrency and decentralized finance entities.

Reference: thehackernews.com