Cybersecurity experts have revealed a sophisticated malware known as RemotePE, utilized by the North Korean-affiliated Lazarus Group in attacks on financial and cryptocurrency sectors. The malware, as analyzed by NCC Group’s Fox-IT, is part of a complex multi-stage attack involving loaders named DPAPILoader and RemotePELoader.
Understanding the RemotePE Attack Chain
The attack sequence begins with DPAPILoader, which decrypts and loads RemotePELoader using the Windows Data Protection API (DPAPI). Security researchers Yun Zheng Hu and Mick Koomen explain that RemotePELoader contacts a command-and-control (C2) server, awaiting further instructions to execute RemotePE entirely in memory, leaving no trace on the disk.
First identified in September 2025, RemotePE was linked to an attack on a decentralized finance entity, deploying malware families such as PondRAT, ThemeForestRAT, and RemotePE. The initial breach occurred via social engineering, where attackers posed as a trading company employee on Telegram, setting up fake meetings through fraudulent Calendly and Picktime domains.
Technical Aspects of RemotePE
The infection process involves three stages. Initially, the DPAPILoader DLL decrypts and loads an encrypted payload from disk using DPAPI. The decrypted payload, RemotePELoader, connects to a remote server to fetch and execute the core module in memory, employing evasion techniques like Hell’s Gate and Event Tracing for Windows (ETW) patching.
The final phase features the RemotePE trojan, written in C++, which polls a C2 server for instructions. It supports multiple commands, including file operations, process management, DLL registration, and server communication. Notably, its file deletion method involves overwriting data seven times before deletion, a tactic also used by related malware like PondRAT.
Lazarus Group’s Stealthy Strategy
Fox-IT’s analysis of four RemotePE samples suggests active development from mid-2023 to mid-2024. The malware’s design emphasizes environmental keying, memory-only execution, and minimal forensic footprint, ideal for prolonged surveillance. This approach aligns with Lazarus Group’s historical focus on financial theft and long-term infiltration.
The malware’s delivery model and low detection rates, with RemotePELoader and RemotePE absent from VirusTotal before public release, indicate a preference for high-value targets. The Lazarus Group’s strategy reflects their intent to achieve sustained access to financial and cryptocurrency organizations, ultimately aiming for high-impact financial crimes.
