Cybersecurity researchers have shed light on a cross-platform malware called RemotePE that has been put to use by the North Korea-linked Lazarus Group in attacks targeting financial and cryptocurrency organizations.
RemotePE, per NCC Group subsidiary Fox-IT, is part of a multi-stage attack chain that involves two loaders tracked as DPAPILoader and RemotePELoader.
“DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API (DPAPI),” security researchers Yun Zheng Hu and Mick Koomen said. “RemotePELoader beacons to a C2 server and waits until it receives the next stage: RemotePE, a RAT executed entirely in memory and never written to disk, leaving no filesystem artifacts.”
RemotePE was first highlighted by the security vendor in September 2025 in connection with an attack targeting an unnamed organization in the decentralized finance (DeFi) sector, leading to the deployment of three malware families, including PondRAT, ThemeForestRAT, and RemotePE.
The intrusion commenced with the compromise of an employee’s device through social engineering, after having approached the victim on Telegram under the guise of an existing employee of a trading company and scheduling a meeting on fake Calendly and Picktime domains.
The RemotePE infection sequence goes through three stages, with the DPAPILoader DLL (“Iassvc.dll”) responsible for decrypting and loading an encrypted payload from disk using DPAPI. The earliest DPAPILoader artifact dates back to November 2023.
The decrypted payload is another loader, RemotePELoader, which is designed to contact a remote server (“aes-secure[.]net”) over HTTP, fetch the core module, and execute it in memory, but not before taking steps to evade detection using techniques like Hell’s Gate and patching Event Tracing for Windows (ETW).
The final stage is a full-fledged remote access trojan named RemotePE that’s written in C++ and polls a command-and-control (C2) server for further instructions. The malware supports six categories of commands, allowing it to –
- Obtain or modify the C2 configuration
- Get or change the current working directory, register a new DLL module, get loaded DLLs, and unload a DLL
- Perform file operations
- Get a list of running processes, create a new process, or kill process by ID
- Sleep for a predetermined interval or exit RemotePE
- Ping the server
A notable aspect of the file deletion command is that it overwrites each file with constant bytes seven times before renaming and deleting it, a pattern also observed in PondRAT and POOLRAT (aka SIMPLESEA). PondRAT is assessed to be a lightweight version of POOLRAT.
Fox-IT said it obtained four RemotePE samples that indicate the RAT was under active development between mid-2023 and mid-2024. The first version has a timestamp of July 4, 2023.
“The toolset’s environmental keying, memory-only execution, EDR evasion, and low forensic…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
