Cybersecurity researchers have uncovered new details about a stealthy malware framework called “RemotePE” that is reportedly being used by the North Korea-linked Lazarus Group in attacks targeting financial institutions and cryptocurrency organizations.
According to researchers, the malware operates through a multi-stage infection chain designed to avoid detection and maintain long-term access inside compromised systems. The attack reportedly begins with social engineering, where attackers impersonate employees from trading companies and contact victims through platforms like Telegram. Victims are then redirected to fake scheduling websites that help deliver the malware.
The infection chain involves multiple loaders, including DPAPILoader and RemotePELoader. The first loader uses the Windows Data Protection API (DPAPI) to decrypt hidden payloads stored on disk. Once decrypted, the second-stage loader communicates with a remote command-and-control server and retrieves the final payload known as RemotePE.
What makes RemotePE especially dangerous is that it runs entirely in memory without being written to disk. This “memory-only” execution significantly reduces forensic evidence and helps the malware avoid traditional antivirus and endpoint detection systems.
Researchers say the malware also includes advanced evasion techniques such as patching Windows Event Tracing (ETW) and using methods like Hell’s Gate to bypass security monitoring tools.
Once active, RemotePE functions as a fully featured remote access trojan (RAT). It can perform file operations, execute processes, manage DLL modules, collect system information, communicate with attacker-controlled servers, and maintain persistence on infected systems.
One notable capability involves secure file deletion. The malware reportedly overwrites files multiple times before renaming and deleting them, making forensic recovery more difficult.
Security researchers believe the malware is designed for stealthy long-term surveillance rather than immediate disruption. Its low detection footprint and advanced evasion methods suggest it is reserved for high-value targets, particularly organizations in the financial and cryptocurrency sectors.
The campaign once again highlights how advanced threat groups are increasingly targeting crypto platforms, trading firms, and decentralized finance ecosystems through social engineering and sophisticated malware delivery techniques.
Cybersecurity companies like IntelligenceX continue to emphasize the importance of strong endpoint monitoring, employee awareness training, threat hunting, and secure communication practices to defend against modern targeted attacks.
Top comments (0)