North Korea’s Lazarus Group deploys fileless RemotePE trojan, targeting crypto and banks

Cybersecurity analysts have discovered a new fileless remote access trojan (RAT), named RemotePE. It is being used by the Lazarus Group, a cybercrime group believed to be associated with North Korea, to target banks and crypto companies.

According to a recent analysis, this malware functions entirely in memory, making it nearly impossible to leave any footprints on the affected computer systems.

Lazarus Group leans on social engineering to defraud investors

The Lazarus Group begins the hack through social engineering techniques. They pose as employees of trading firms via Telegram. To do this, the actors use fake copies of Calendly and Picktime, which are widely used to schedule meetings.

After getting approval for a meeting, the chain of events proceeds until the first piece of malware is installed. This “human in the loop” method enables Lazarus operators to develop effective lures.

The malware operates through a well-coordinated three-stage chain that aims to reduce disk operations. First is DPAPILoader. This is a dynamic-link library (DLL), also known by its filename Iassvc.dll since November 2023.

The program uses the Windows Data Protection Application Programming Interface (DPAPI) to decrypt a payload stored on disk.

The decrypted payload is then passed to RemotePELoader, which creates an HTTP connection to the C2 at aes-secure[.]net. After this, it downloads and runs the last RemotePE stage in-memory.

To bypass EDR solutions, RemotePELoader uses Hell’s Gate techniques and ETW Patching to evade detection.

Finally, the main RemotePE RAT payload never comes into contact with the filesystem, maintaining low forensic visibility throughout the entire attack chain. This malware was first discovered in September 2025.

In the reported incident, a decentralized finance (DeFi) firm had its infrastructure compromised by three different RATs—RemotePE, PondRAT, and ThemeForestRAT—that eventually replaced one another.

Advanced tech and AI turn into traders’ worst nightmare

Earlier, crypto investors turned to AI and tech to streamline trading. Now, the same tools have fallen into hackers’ hands, causing them huge financial pains.

Environmental keying by DPAPI, memory-only execution, ETW patching, and Hell’s Gate make RemotePE nearly impossible to detect with traditional methods. Analysts at Fox-IT, an affiliate of NCC Group, have noted that these characteristics suggest the malware is designed to sustain itself in the long term to conduct reconnaissance before launching a strike, unlike typical disruptive malware attacks.

The Lazarus Group has already stolen about $577 million in crypto in the first four months of 2026. This accounts for 76% of all crypto thefts worldwide, despite just two major hacking incidents, according to blockchain analytics firm TRM Labs.

The percentage of crypto hacks attributable to North Korea has risen sharply. From single-digit figures in previous years to 64% in 2025 and 76% in 2026. Their record amount stolen is now at $6 billion since 2017. These funds allegedly finance the country’s weapons and nuclear development programs amid sanctions.

Hackers turn to AI to destabilize devs behind major tech entities

Cybersecurity experts have discovered a large-scale attack in which hackers targeted over 700 sites running the Ghost Content Management System, exploiting a critical SQL injection flaw. The cyberattacks gave attackers access to admin accounts’ usernames and passwords, enabling them to inject malware via JavaScript redirects into their ClickFix distribution channels.

The targeted platforms include academic institutions, AI endeavors, blockchain services, software-as-a-service vendors, cybersecurity research sources, news agencies, and fintech firms.

Victims who run into the fake CAPTCHA are asked to enter a Base64-encoded string into the Run dialog box. In this step, they can download a ZIP file containing a batch script. This batch script then runs a PowerShell command that will fetch either a signed DLL or JavaScript files from a remote server.

Earlier versions of the malware would run a DLL using the rundll32.exe. However, recent versions install an Inno Setup installer for an open-source version of the Electron application called Grape. Upon installation, the malware becomes persistent and polls the C2 domain web-telegram[.]ug, every 30 seconds.