Skip to main content
Emerging ThreatsMalware & Ransomware

Lazarus Group Deploys Memory-Only RAT in Financial Sector Attacks

Brightly-lit financial sector setting with computer workstation in background.

"DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API (DPAPI)," security researchers Yun Zheng Hu and Mick Koomen said.

What RemotePE is and who deployed it

RemotePE is a cross-platform remote access trojan (RAT) used by the North Korea-linked Lazarus Group, according to analysis published by Fox-IT, an NCC Group subsidiary. Fox-IT first highlighted RemotePE in September 2025 after an intrusion that targeted an unnamed organization in the decentralized finance (DeFi) sector and resulted in deployment of multiple malware families, including PondRAT, ThemeForestRAT, and RemotePE.

The three-stage loader chain: Iassvc.dll, RemotePELoader, and in-memory RemotePE

Fox-IT describes a three-stage infection sequence. The initial DLL, tracked as DPAPILoader and present as a file named "Iassvc.dll," uses the Windows Data Protection API (DPAPI) to decrypt and load a second-stage loader from disk. The decrypted second-stage loader — RemotePELoader — contacts a remote server over HTTP (noted as aes-secure[.]net) to retrieve the final payload. That final payload is RemotePE, a RAT executed entirely in memory and never written to disk, leaving no filesystem artifacts.

Fox-IT notes the earliest DPAPILoader artifact dates to November 2023. The vendor obtained four RemotePE samples that suggest the RAT was under active development between mid-2023 and mid-2024, with the first version timestamped July 4, 2023.

Technical evasions and capabilities: Hell's Gate, ETW patching, and C2 command set

RemotePELoader takes explicit steps to evade detection prior to executing the core module: Fox-IT observed usage of techniques such as Hell's Gate and patching Event Tracing for Windows (ETW). The final RemotePE payload is written in C++ and operates as a memory-only RAT that polls a command-and-control (C2) server for instructions.

Fox-IT cataloged six categories of commands supported by RemotePE: obtaining or modifying the C2 configuration; changing the current working directory and managing DLL modules; performing file operations; enumerating, creating, or killing processes; sleeping for a set interval or exiting; and pinging the server. A notable file-deletion command overwrites each targeted file with constant bytes seven times before renaming and deleting it — a behaviour observed previously in PondRAT and POOLRAT (aka SIMPLESEA). Fox-IT assesses PondRAT as a lightweight version of POOLRAT.

The observed intrusion path: social engineering, Telegram, and fake scheduling domains

Fox-IT ties the use of RemotePE to an intrusion that began with social engineering on Telegram. The actor approached an employee while posing as an existing employee of a trading company and arranged a meeting using counterfeit scheduling sites hosted on fake Calendly and Picktime domains. The compromise of that employee device led to deployment of three malware families during the intrusion.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: The toolset's memory-only execution, DPAPI-based loader, ETW patching, and Hell's Gate evasion indicate the need to monitor behaviors beyond filesystem indicators. Fox-IT emphasized the toolset's low forensic footprint and environmental keying.
  • Policymakers and regulators: Fox-IT highlighted that neither RemotePELoader nor RemotePE appeared on VirusTotal prior to publication, underscoring detection gaps in commodity scanning and the potential for tailored toolsets to be reserved for high-value targets.
  • Affected enterprises and procurement leaders (financial and cryptocurrency organizations): Fox-IT assesses the actor-in-the-loop delivery model and the toolset's low detection rate as consistent with use against high-value financial and cryptocurrency targets, and warns that long-term stealthy access may precede a high-impact objective such as data theft or a large-scale financial heist.

Fox-IT summarizes the threat succinctly: the combination of environmental keying, memory-only execution, EDR evasion, and low forensic footprint makes the toolset "purpose-built for long-term observation campaigns," enabling an actor to quietly maintain access before moving to a high-impact final objective.

Taken together, the technical details and the social-engineering entry point sketch a deliberate, patient campaign model: tailored loaders that use DPAPI to hide second stages, HTTP-based C2 reach-back to aes-secure[.]net, and a memory-resident RAT written in C++ with a compact but effective command set. The record of development from July 4, 2023 through mid-2024 and the presence of DPAPILoader artifacts since November 2023 further indicate a multi-year effort.

For defenders and decision-makers, the imperative is clear in the facts Fox-IT presents: detection strategies that rely primarily on file signatures will miss memory-only tools, and social-engineering vectors such as impersonation on messaging apps combined with fake scheduling pages remain an effective first step. Whether the actor chooses to remain observational or to escalate to a disruptive or financially destructive action is not spelled out in the samples Fox-IT examined — only that the toolset is consistent with a long-game approach against financial and cryptocurrency organizations.

Original story