North Korea-linked threat actors deploy advanced multi-stage RemotePE remote access trojan designed for ultra-stealthy, fileless espionage against high-value financial and cryptocurrency targets.
Cybersecurity researchers have uncovered a sophisticated malware campaign attributed to the Lazarus Group, a North Korea-linked advanced persistent threat (APT), targeting financial institutions and cryptocurrency organizations with a powerful memory-resident remote access trojan known as RemotePE.
According to research from Fox-IT, a subsidiary of NCC Group, the malware is part of a carefully engineered multi-stage infection chain that prioritizes stealth, persistence, and minimal forensic traceability.
Multi-Stage Infection Chain Built for Stealth
The attack begins with two loader components identified as DPAPILoader and RemotePELoader. The initial stage uses the Windows Data Protection API (DPAPI) to decrypt and load malicious code directly from disk, avoiding obvious detection.
Once activated, DPAPILoader retrieves and executes RemotePELoader, which then communicates with a command-and-control (C2) server. This intermediate loader is responsible for downloading the final payload and executing it entirely in system memory—never writing the core malware to disk.
Security analysts highlight that this fileless approach significantly reduces the chances of detection by traditional endpoint security tools.
Advanced Evasion Techniques and Memory-Only Execution
RemotePELoader incorporates multiple anti-analysis and evasion methods, including techniques such as Hell’s Gate and modifications to Event Tracing for Windows (ETW). These tactics are designed to disrupt security monitoring and hinder forensic investigation.
The loader connects to a remote infrastructure hosted on domains such as “aes-secure[.]net” to retrieve the final-stage payload, ensuring that the malicious code remains dynamic and difficult to track.
Full-Fledged RAT Designed for Long-Term Access
The final payload, RemotePE, is a fully functional remote access trojan written in C++. Once deployed, it continuously communicates with its C2 infrastructure, awaiting commands from operators.
The malware supports a wide range of functions, including:
- Managing and modifying command-and-control configuration
- File system operations such as creation, deletion, and modification
- Process control, including launching and terminating applications
- Loading and unloading DLL modules
- System state management, including sleep and self-termination
- Server communication checks and status reporting
One particularly destructive feature involves secure file deletion. RemotePE overwrites targeted files multiple times with static data before renaming and deleting them, a method intended to prevent recovery by forensic tools. Similar behavior has previously been observed in related malware families used by the same threat actor.
Evidence of Active Development and Evolution
Security researchers have identified multiple RemotePE samples suggesting active development between mid-2023 and mid-2024, with the earliest known build timestamp dating back to July 2023.
The infection framework itself has been in circulation since at least November 2023, indicating a long-term and evolving tooling ecosystem behind the campaign.
Fox-IT notes that RemotePE was first publicly associated with a decentralized finance (DeFi) attack in late 2025, where it was deployed alongside other malware variants used for persistence and lateral movement.
Designed for High-Value, Low-Detection Operations
Experts believe the RemotePE toolkit is purpose-built for covert surveillance operations targeting high-value victims in the financial and cryptocurrency sectors.
Its architecture emphasizes:
- Fileless, in-memory execution
- Environmental keying to avoid sandbox analysis
- Strong evasion against endpoint detection and response (EDR) tools
- Minimal forensic artifacts on compromised systems
Researchers warn that this design strongly suggests the malware is intended for long-term infiltration before executing high-impact operations such as large-scale theft or data exfiltration.
Conclusion
The emergence of RemotePE highlights the continued evolution of Lazarus Group’s cyber capabilities, particularly in developing stealth-first malware tailored for financially motivated espionage. With its advanced evasion techniques and fully memory-based execution, RemotePE represents a significant challenge for traditional cybersecurity defenses.
Organizations in finance and cryptocurrency sectors are urged to strengthen endpoint monitoring, implement behavioral detection systems, and closely track anomalous process activity to defend against similar threats.
