TL;DR:
- Lazarus is deploying RemotePE, a fileless RAT that runs in memory and targets crypto companies, banks and fintech firms through social engineering.
- Attackers pose as trading firm employees on Telegram, use fake scheduling tools and move victims toward a staged compromise before malware installation.
- RemotePE uses DPAPI, in-memory execution, Hell’s Gate and ETW patching, while North Korea-linked hackers accounted for a reported $577 million in crypto theft in early 2026.
North Korea’s Lazarus Group has surfaced with another unsettling cyber playbook, this time centered on RemotePE, a fileless remote access trojan aimed at crypto companies, banks and fintech firms. The campaign is striking because the malware runs entirely in memory, leaving little forensic residue for conventional tools to inspect. The disturbing shift is the attack’s quietness, not just its target list, as operators combine social engineering with malware engineered to remain unseen long enough to study victims before moving deeper into high-value financial systems and potentially stage follow-on intrusions without triggering immediate alarms inside institutions.
🚨 Lazarus deployed a new memory-only RAT against crypto and financial organizations.https://t.co/45TsNCFCOx
The RemotePE malware executes entirely in memory with no filesystem artifacts, using DPAPI loaders, ETW patching, and Hell’s Gate techniques to evade detection and… pic.twitter.com/wcqbZbFVCA
— The Hacker News (@TheHackersNews) May 25, 2026
A quieter breach model emerges
The intrusion path begins less like a cinematic breach than a routine business interaction. Lazarus operators pose as trading firm employees on Telegram, then use fake versions of Calendly and Picktime to arrange meetings and make the lure feel ordinary. Once the target approves a meeting, the first malware component is installed and the chain starts moving. The human-in-the-loop approach gives the attackers credibility, because the victim is not merely clicking a random file but responding to a staged professional exchange designed to lower suspicion before technical compromise begins within targeted crypto and banking teams.
RemotePE’s mechanics explain why the campaign is hard to contain. The chain starts with DPAPILoader, a DLL also known as Iassvc.dll since November 2023, which uses Windows DPAPI to decrypt a payload kept on disk. That payload is passed to RemotePELoader, which connects to aes-secure[.]net, downloads the final stage and runs it in memory. RemotePE never touches the filesystem in its main stage, while Hell’s Gate techniques and ETW patching are used to sidestep EDR defenses, sharply reducing evidence available to responders during the critical early investigation window when internal teams identify compromise inside networks.
The financial context makes the campaign even harder to treat as isolated malware activity. In one reported incident, a DeFi firm’s infrastructure was compromised by RemotePE, PondRAT and ThemeForestRAT, which replaced one another over time. Analysts also linked the design to long-term reconnaissance before a strike. The strategic risk is cumulative financial extraction, with North Korea-linked hackers credited with about $577 million in crypto theft during the first four months of 2026, 76% of global crypto thefts, and roughly $6 billion stolen since 2017, underlining why financial security teams now face a longer campaign horizon.
