The North Korea-backed Lazarus Group has been observed using a cross-platform malware framework called RemotePE in attacks targeting financial institutions and cryptocurrency organizations.
According to researchers at NCC Group subsidiary Fox-IT, the malware operates through a multi-stage infection chain using two loaders known as DPAPILoader and RemotePELoader. The campaign ultimately deploys RemotePE, a stealthy remote access trojan (RAT) that executes entirely in memory, leaving virtually no traces on disk.
Researchers say that DPAPILoader uses the Windows Data Protection API (DPAPI) to decrypt and launch RemotePELoader from disk. The second-stage loader then communicates with a command-and-control (C&C) server to retrieve the final payload.
RemotePE first came to light in September 2025 during an investigation into an attack against an unnamed decentralized finance (DeFi) organization. The intrusion reportedly began with social engineering tactics on Telegram, where attackers impersonated an employee of a trading company and lured the victim to fake scheduling websites impersonating Calendly and Picktime.
In the first stage of the attack, a malicious DLL file named “Iassvc.dll” decrypts an encrypted payload using DPAPI. The decrypted RemotePELoader then contacts a remote server identified as aes-secure[.]net over HTTP to fetch the core malware. Before executing the payload, the loader employs advanced evasion techniques such as Hell’s Gate and tampering with Event Tracing for Windows (ETW) to avoid detection.
The final payload, which is RemotePE, is a C++-based RAT that continuously polls its C&C infrastructure for commands. It comes with a secure deletion mechanism that overwrites files seven times before renaming and deleting them. Such behavior was previously observed in Lazarus-linked malware families PondRAT and POOLRAT, also known as SIMPLESEA.
Fox-IT said analysis of four RemotePE samples suggests the malware remained under active development from mid-2023 through mid-2024.
“The DPAPILoader, RemotePELoader, and RemotePE toolset represents a deliberate effort to minimise forensic footprint. A RemotePELoader sample from disk uploaded to VirusTotal is useless without the victim’s DPAPI keys. Furthermore, by combining environmental keying via DPAPI with fully in-memory execution of the final payload, the actor ensures that forensic imaging of the disk will not yield recoverable artifacts of RemotePE,” the report said, noting that “this toolset may be reserved for high-value targets where long-term, stealthy access is the objective, consistent with this Lazarus subgroup’s known focus on financial and cryptocurrency organisations.”