Cybersecurity researchers have shed light on a cross-platform malware called RemotePE that has been put to use by the North Korea-linked Lazarus Group in attacks targeting financial and cryptocurrency organizations.
RemotePE, per NCC Group subsidiary Fox-IT, is part of a multi-stage attack chain that involves two loaders tracked as DPAPILoader and RemotePELoader.
“DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API (DPAPI),” security researchers Yun Zheng Hu and Mick Koomen said. “RemotePELoader beacons to a C2 server and waits until it receives the next stage: RemotePE, a RAT executed entirely in memory and never written to disk, leaving no filesystem artifacts.”
RemotePE was first highlighted by the security vendor in September 2025 in connection with an attack targeting an unnamed organization in the decentralized finance (DeFi) sector, leading to the deployment of three malware families, including PondRAT, ThemeForestRAT, and RemotePE.
The intrusion commenced with the compromise of an employee’s device through social engineering, after having approached the victim on Telegram under the guise of an existing employee of a trading company and scheduling a meeting on fake Calendly and Picktime domains.
The RemotePE infection sequence goes through three stages, with the DPAPILoader DLL (“Iassvc.dll”) responsible for decrypting and loading an encrypted payload from disk using DPAPI. The earliest DPAPILoader artifact dates back to November 2023.
The decrypted payload is another loader, RemotePELoader, which is designed to contact a remote server (“aes-secure[.]net”) over HTTP, fetch the core module, and execute it in memory, but not before taking steps to evade detection using techniques like Hell’s Gate and patching Event Tracing for Windows (ETW).
The final stage is a full-fledged remote access trojan named RemotePE that’s written in C++ and polls a command-and-control (C2) server for further instructions. The malware supports six categories of commands, allowing it to –
- Obtain or modify the C2 configuration
- Get or change the current working directory, register a new DLL module, get loaded DLLs, and unload a DLL
- Perform file operations
- Get a list of running processes, create a new process, or kill process by ID
- Sleep for a predetermined interval or exit RemotePE
- Ping the server
A notable aspect of the file deletion command is that it overwrites each file with constant bytes seven times before renaming and deleting it, a pattern also observed in PondRAT and POOLRAT (aka SIMPLESEA). PondRAT is assessed to be a lightweight version of POOLRAT.
Fox-IT said it obtained four RemotePE samples that indicate the RAT was under active development between mid-2023 and mid-2024. The first version has a timestamp of July 4, 2023.
“The toolset’s environmental keying, memory-only execution, EDR evasion, and low forensic footprint suggest it is purpose-built for long-term observation campaigns,” the researchers said. “This allows the actor to quietly maintain access over an extended period before moving to a high-impact final objective such as data theft or a large-scale financial heist, consistent with this actor’s known history.”
“The actor-in-the-loop delivery model and the toolset’s low detection rate (neither RemotePELoader nor RemotePE appeared on VirusTotal prior to this publication) suggest this toolset may be reserved for high-value targets where long-term, stealthy access is the objective, consistent with this Lazarus subgroup’s known focus on financial and cryptocurrency organizations.”
