Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Lazarus Group Targets Finance with RemotePE Malware

Lazarus Group Targets Finance with RemotePE Malware

Posted on May 25, 2026 By CWS

Cybersecurity experts have revealed a sophisticated malware known as RemotePE, utilized by the North Korean-affiliated Lazarus Group in attacks on financial and cryptocurrency sectors. The malware, as analyzed by NCC Group’s Fox-IT, is part of a complex multi-stage attack involving loaders named DPAPILoader and RemotePELoader.

Understanding the RemotePE Attack Chain

The attack sequence begins with DPAPILoader, which decrypts and loads RemotePELoader using the Windows Data Protection API (DPAPI). Security researchers Yun Zheng Hu and Mick Koomen explain that RemotePELoader contacts a command-and-control (C2) server, awaiting further instructions to execute RemotePE entirely in memory, leaving no trace on the disk.

First identified in September 2025, RemotePE was linked to an attack on a decentralized finance entity, deploying malware families such as PondRAT, ThemeForestRAT, and RemotePE. The initial breach occurred via social engineering, where attackers posed as a trading company employee on Telegram, setting up fake meetings through fraudulent Calendly and Picktime domains.

Technical Aspects of RemotePE

The infection process involves three stages. Initially, the DPAPILoader DLL decrypts and loads an encrypted payload from disk using DPAPI. The decrypted payload, RemotePELoader, connects to a remote server to fetch and execute the core module in memory, employing evasion techniques like Hell’s Gate and Event Tracing for Windows (ETW) patching.

The final phase features the RemotePE trojan, written in C++, which polls a C2 server for instructions. It supports multiple commands, including file operations, process management, DLL registration, and server communication. Notably, its file deletion method involves overwriting data seven times before deletion, a tactic also used by related malware like PondRAT.

Lazarus Group’s Stealthy Strategy

Fox-IT’s analysis of four RemotePE samples suggests active development from mid-2023 to mid-2024. The malware’s design emphasizes environmental keying, memory-only execution, and minimal forensic footprint, ideal for prolonged surveillance. This approach aligns with Lazarus Group’s historical focus on financial theft and long-term infiltration.

The malware’s delivery model and low detection rates, with RemotePELoader and RemotePE absent from VirusTotal before public release, indicate a preference for high-value targets. The Lazarus Group’s strategy reflects their intent to achieve sustained access to financial and cryptocurrency organizations, ultimately aiming for high-impact financial crimes.

The Hacker News Tags:Cryptocurrency, Cybersecurity, DPAPILoader, financial sector, Lazarus Group, Malware, RAT, RemotePE, RemotePELoader, threat intelligence

Post navigation

Previous Post: Rise in Scans Targeting SonicWall Firewall Interfaces
Next Post: Data Breach at Richmond Radiology Impacts 266,000

Related Posts

Apple Backports Fix for CVE-2025-43300 Exploited in Sophisticated Spyware Attack Apple Backports Fix for CVE-2025-43300 Exploited in Sophisticated Spyware Attack The Hacker News
Over 900 FreePBX Systems Infected in Web Shell Attacks Over 900 FreePBX Systems Infected in Web Shell Attacks The Hacker News
RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers The Hacker News
AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims The Hacker News
WhatsApp Warns 200 Users of Fake iOS App Spyware WhatsApp Warns 200 Users of Fake iOS App Spyware The Hacker News
Supply Chain Attack Targets TanStack and AI Packages Supply Chain Attack Targets TanStack and AI Packages The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • UNC6692 Exploits Microsoft Teams for SNOW Malware Attack
  • UK Unveils Cybersecurity Strategy with AI Defense Initiative
  • GodDamn Ransomware Employs PoisonX to Bypass Security
  • Everest Ransomware’s Dubious Data Theft Claim Examined
  • GhostLock Bug in Linux Kernel Earns $92k Bounty

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • UNC6692 Exploits Microsoft Teams for SNOW Malware Attack
  • UK Unveils Cybersecurity Strategy with AI Defense Initiative
  • GodDamn Ransomware Employs PoisonX to Bypass Security
  • Everest Ransomware’s Dubious Data Theft Claim Examined
  • GhostLock Bug in Linux Kernel Earns $92k Bounty

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark