RemotePE memory-only RAT activity by Lazarus Group targeting financial and cryptocurrency organizations
Malware Activity
Summary
Hide ▲
Show ▼
The RemotePE malware has been tied to Lazarus Group activity against financial and cryptocurrency organizations, raising the risk of stealthy long-term access and later theft. The intrusion chain uses DPAPILoader and RemotePELoader to decrypt, fetch, and execute the RAT in memory, leaving little on disk for defenders to inspect. Researchers say the toolset uses DPAPI, Hell's Gate, and ETW patching to reduce detection. Samples suggest the malware was under active development from mid-2023 to mid-2024, indicating a mature capability aimed at high-value targets.
Related Happenings
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware Activity
H score22
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
About this happening:
The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware ActivityAbout this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
**macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisAbout this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
Lazarus Group RemotePE long-term observation campaign against financial and cryptocurrency organizations
Campaign
H score38
First: 25.05.2026 12:32
Last: 25.05.2026 12:32
Sources 1
How related:
"The toolset's environmental keying, memory-only execution, EDR evasion, and low forensic footprint suggest it is purpose-built for long-term observation campaigns," the researchers said.
About this happening:
The **Lazarus Group** was tied to a **RemotePE** campaign against **financial and cryptocurrency organizations**, signaling a stealth-focused operation with sustained access risk....
Lazarus Group RemotePE long-term observation campaign against financial and cryptocurrency organizations
CampaignHow related: "The toolset's environmental keying, memory-only execution, EDR evasion, and low forensic footprint suggest it is purpose-built for long-term observation campaigns," the researchers said.
About this happening: The **Lazarus Group** was tied to a **RemotePE** campaign against **financial and cryptocurrency organizations**, signaling a stealth-focused operation with sustained access risk....
BeaverTail malware variant with multi-path delivery and follow-on payloads
Malware Activity
H score29
First: 18.12.2025 14:00
Last: 18.12.2025 14:00
Sources 1
About this happening:
A newly observed **BeaverTail** malware variant is stealing wallet data and credentials while loading follow-on payloads, increasing risk for **cryptocurrency traders, developers...
BeaverTail malware variant with multi-path delivery and follow-on payloads
Malware ActivityAbout this happening: A newly observed **BeaverTail** malware variant is stealing wallet data and credentials while loading follow-on payloads, increasing risk for **cryptocurrency traders, developers...
Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia
Malware Activity
H score23
First: 18.10.2025 09:51
Last: 18.10.2025 09:51
Sources 1
About this happening:
The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...
Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia
Malware ActivityAbout this happening: The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...
Timeline
-
25.05.2026 12:32 3 articles · 1mo ago
RemotePE memory-only RAT activity by Lazarus Group targeting financial and cryptocurrency organizations
Initial DisclosureThe earliest stage begins when **DPAPILoader** decrypts and loads **RemotePELoader** from disk with **DPAPI**. From there, the loader reaches out to **aes-secure[.]net** and prepares the in-memory **RemotePE** payload for execution.
Show sources
- Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms — thehackernews.com — 25.05.2026 12:32
- Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms — thehackernews.com — 25.05.2026 12:32
- Lazarus Group Expands Malware Arsenal With PondRAT, ThemeForestRAT, and RemotePE — thehackernews.com — 02.09.2025 19:39