RemotePE memory-only RAT activity by Lazarus Group targeting financial and cryptocurrency organizations
Malware Activity
Summary
Hide ▲
Show ▼
The RemotePE malware has been tied to Lazarus Group activity against financial and cryptocurrency organizations, raising the risk of stealthy long-term access and later theft. The intrusion chain uses DPAPILoader and RemotePELoader to decrypt, fetch, and execute the RAT in memory, leaving little on disk for defenders to inspect. Researchers say the toolset uses DPAPI, Hell's Gate, and ETW patching to reduce detection. Samples suggest the malware was under active development from mid-2023 to mid-2024, indicating a mature capability aimed at high-value targets.
Related Happenings
Lazarus Group RemotePE long-term observation campaign against financial and cryptocurrency organizations
Campaign
First: 25.05.2026 12:32
Last: 25.05.2026 12:32
Sources 1
How related:
"The toolset's environmental keying, memory-only execution, EDR evasion, and low forensic footprint suggest it is purpose-built for long-term observation campaigns," the researchers said.
About this happening:
The **Lazarus Group** was tied to a **RemotePE** campaign against **financial and cryptocurrency organizations**, signaling a stealth-focused operation with sustained access risk....
Lazarus Group RemotePE long-term observation campaign against financial and cryptocurrency organizations
CampaignHow related: "The toolset's environmental keying, memory-only execution, EDR evasion, and low forensic footprint suggest it is purpose-built for long-term observation campaigns," the researchers said.
About this happening: The **Lazarus Group** was tied to a **RemotePE** campaign against **financial and cryptocurrency organizations**, signaling a stealth-focused operation with sustained access risk....
BeaverTail malware variant with multi-path delivery and follow-on payloads
Malware Activity
First: 18.12.2025 14:00
Last: 18.12.2025 14:00
Sources 1
About this happening:
A newly observed **BeaverTail** malware variant is stealing wallet data and credentials while loading follow-on payloads, increasing risk for **cryptocurrency traders, developers...
BeaverTail malware variant with multi-path delivery and follow-on payloads
Malware ActivityAbout this happening: A newly observed **BeaverTail** malware variant is stealing wallet data and credentials while loading follow-on payloads, increasing risk for **cryptocurrency traders, developers...
Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia
Malware Activity
First: 18.10.2025 09:51
Last: 18.10.2025 09:51
Sources 1
About this happening:
The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...
Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia
Malware ActivityAbout this happening: The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...
PureRAT malware activity in a multi-stage intrusion chain
Malware Activity
First: 09.10.2025 17:01
Last: 09.10.2025 17:01
Sources 1
About this happening:
The **PureRAT** backdoor was deployed as the final stage of a multi-stage intrusion chain, giving operators **complete control** over compromised hosts and enabling **surveillance...
PureRAT malware activity in a multi-stage intrusion chain
Malware ActivityAbout this happening: The **PureRAT** backdoor was deployed as the final stage of a multi-stage intrusion chain, giving operators **complete control** over compromised hosts and enabling **surveillance...
Lazarus Group social engineering campaign targeting a DeFi organization
Campaign
First: 02.09.2025 19:39
Last: 02.09.2025 19:39
Sources 1
How related:
The North Korea-linked threat actor known as the Lazarus Group has been attributed to a social engineering campaign that distributes three different pieces of cross-platform malware called PondRAT, ThemeForestRAT, and RemotePE.
About this happening:
**Lazarus Group** ran a **social engineering campaign** in **2024** that targeted a **DeFi organization** and compromised an employee system, creating a foothold for malware deplo...
Lazarus Group social engineering campaign targeting a DeFi organization
CampaignHow related: The North Korea-linked threat actor known as the Lazarus Group has been attributed to a social engineering campaign that distributes three different pieces of cross-platform malware called PondRAT, ThemeForestRAT, and RemotePE.
About this happening: **Lazarus Group** ran a **social engineering campaign** in **2024** that targeted a **DeFi organization** and compromised an employee system, creating a foothold for malware deplo...
Timeline
-
25.05.2026 12:32 3 articles · 2d ago
RemotePE memory-only RAT activity by Lazarus Group targeting financial and cryptocurrency organizations
Initial DisclosureThe earliest stage begins when **DPAPILoader** decrypts and loads **RemotePELoader** from disk with **DPAPI**. From there, the loader reaches out to **aes-secure[.]net** and prepares the in-memory **RemotePE** payload for execution.
Show sources
- Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms — thehackernews.com — 25.05.2026 12:32
- Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms — thehackernews.com — 25.05.2026 12:32
- Lazarus Group Expands Malware Arsenal With PondRAT, ThemeForestRAT, and RemotePE — thehackernews.com — 02.09.2025 19:39