Find notable cyber news and cases, enriched with sources, timelines, and signals.

RemotePE memory-only RAT activity by Lazarus Group targeting financial and cryptocurrency organizations

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 2 articles

Summary

Hide ▲

The RemotePE malware has been tied to Lazarus Group activity against financial and cryptocurrency organizations, raising the risk of stealthy long-term access and later theft. The intrusion chain uses DPAPILoader and RemotePELoader to decrypt, fetch, and execute the RAT in memory, leaving little on disk for defenders to inspect. Researchers say the toolset uses DPAPI, Hell's Gate, and ETW patching to reduce detection. Samples suggest the malware was under active development from mid-2023 to mid-2024, indicating a mature capability aimed at high-value targets.

Related Happenings

TONResolver RAT delivered via ZIP, LNK, and PowerShell

Malware Activity
H score22 First: 30.06.2026 13:30 Last: 30.06.2026 13:30 Sources 1

About this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

Lazarus Group RemotePE long-term observation campaign against financial and cryptocurrency organizations

Campaign
H score38 First: 25.05.2026 12:32 Last: 25.05.2026 12:32 Sources 1

How related: "The toolset's environmental keying, memory-only execution, EDR evasion, and low forensic footprint suggest it is purpose-built for long-term observation campaigns," the researchers said.

About this happening: The **Lazarus Group** was tied to a **RemotePE** campaign against **financial and cryptocurrency organizations**, signaling a stealth-focused operation with sustained access risk....

BeaverTail malware variant with multi-path delivery and follow-on payloads

Malware Activity
H score29 First: 18.12.2025 14:00 Last: 18.12.2025 14:00 Sources 1

About this happening: A newly observed **BeaverTail** malware variant is stealing wallet data and credentials while loading follow-on payloads, increasing risk for **cryptocurrency traders, developers...

Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia

Malware Activity
H score23 First: 18.10.2025 09:51 Last: 18.10.2025 09:51 Sources 1

About this happening: The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...

Timeline

  1. 25.05.2026 12:32 3 articles · 1mo ago

    RemotePE memory-only RAT activity by Lazarus Group targeting financial and cryptocurrency organizations

    Initial Disclosure

    The earliest stage begins when **DPAPILoader** decrypts and loads **RemotePELoader** from disk with **DPAPI**. From there, the loader reaches out to **aes-secure[.]net** and prepares the in-memory **RemotePE** payload for execution.

    Show sources