The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Lazarus Expands Financial Espionage Operations With Memory-Resident RemotePE RAT

May 29, 2026 3:21:34 PM / by The Hivemind

LAZARUSEXPANDS2026Verticals Targeted: Financial, Cryptocurrency
Related Threat Actors: Lazarus
Related Families: DPAPILoader, RemotePELoader, RemotePE

Executive Summary

Researchers identified a sophisticated Lazarus-linked malware ecosystem composed of DPAPILoader, RemotePELoader, and RemotePE, a chained toolset designed for stealth, persistence, and long-term access in high-value financial and cryptocurrency environments. The malware leverages DPAPI-based environmental keying, direct syscall techniques, ETW suppression, and memory-only payload execution to minimize forensic visibility and evade modern endpoint defenses.

Key Takeaways

  • Lazarus-linked operators deployed a three-stage malware chain using DPAPI-encrypted payloads and fully memory-resident execution.
  • RemotePELoader uses HellsGate/TartarusGate syscall resolution and ETW patching to bypass userland EDR telemetry.
  • RemotePE supports modular plugin loading, file operations, process control, command execution, and encrypted C2 communications.
  • Infrastructure and operational patterns strongly align with prior North Korean financial espionage and cryptocurrency theft campaigns.

Background

A newly documented malware framework attributed to a Lazarus subgroup demonstrates a continued evolution toward stealth-focused intrusion tooling targeting financial and cryptocurrency organizations. The campaign overlaps with activity clusters associated with AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces. Researchers identified the malware during incident response investigations where older Lazarus tooling, including ThemeForestRAT and PondRAT, had been replaced with a significantly more advanced memory-only framework. Fox-IT recently reported on this activity.

The framework consists of three interconnected malware families:

  • DPAPILoader – First-stage loader responsible for decrypting payloads tied to victim-specific DPAPI keys.
  • RemotePELoader – Second-stage loader that retrieves payloads from C2 infrastructure.
  • RemotePE – Final-stage in-memory RAT never written to disk.

The architecture emphasizes operational security through environmental keying, low disk presence, encrypted communications, and anti-analysis techniques designed to frustrate both static analysis and endpoint telemetry collection.

DPAPILoader: Environmentally Keyed Initial Access Loader

DPAPILoader functions as the first-stage component responsible for decrypting and executing encrypted payloads tied to the victim environment via the Windows Data Protection API (DPAPI). In one observed intrusion, the malware was deployed as C:\Windows\System32\Iassvc.dll under a malicious Windows service masquerading as the legitimate Internet Authentication Service (IAS).

The malware abuses Windows service infrastructure to establish persistence through svchost.exe while imitating legitimate Windows components. Researchers noted the malicious DLL intentionally mimicked the legitimate iassvcs.dll naming convention, differing by only a single character.

DPAPILoader searches the following directory for encrypted payloads:

C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\

It filters out legitimate Microsoft Cabinet files by checking for the MSCF magic bytes and decrypts remaining files larger than 50 KiB using DPAPI before reflective loading through the open-source libpeconv library.

The malware applies an additional XOR operation using the constant 0x8D after DPAPI decryption, creating a layered protection mechanism. This environmental keying model ensures the encrypted payload is only usable on the victim system possessing the corresponding DPAPI keys. Researchers identified multiple DPAPILoader variants utilizing different execution methods, including service execution, DLL sideloading via ESET software, and export-based loading through WMI-related functionality.

RemotePELoader: Stealth-Oriented Memory Loader

Once decrypted, DPAPILoader launches RemotePELoader, the second-stage component responsible for retrieving the final RemotePE RAT from attacker-controlled infrastructure. Before conducting any network activity, RemotePELoader performs multiple defense evasion operations. The malware implements the TartarusGate variant of the HellsGate technique to dynamically resolve Windows syscall numbers directly from ntdll.dll, bypassing userland API hooks commonly deployed by endpoint security products. Using direct syscalls, the malware remaps clean DLL copies from the Windows \KnownDlls object directory, effectively removing security hooks placed by EDR products. This technique significantly reduces telemetry visibility for userland monitoring solutions. RemotePELoader additionally patches the EtwEventWrite() function to disable Event Tracing for Windows (ETW) event generation by forcing the function to immediately return success without logging events.

The loader then retrieves a DPAPI-encrypted configuration file from disk containing:

  • Multiple C2 URLs
  • Proxy configuration data
  • Sleep timers
  • User-agent strings
  • Session management parameters

C2 communications occur over HTTP POST requests using specially crafted cookie fields designed to resemble legitimate Microsoft telemetry traffic. RemotePELoader establishes a session with the server before repeatedly polling for a payload. Researchers observed that payload delivery frequently required manual operator interaction, suggesting an actor-in-the-loop operational model. Once the operator initiates payload delivery, the server returns an AES-GCM encrypted and Base64-encoded PE payload that is decrypted and reflectively loaded directly into memory.

RemotePE: Fully Memory-Resident Remote Access Trojan

RemotePE represents the final-stage payload and primary operational RAT within the framework. The malware executes entirely in memory and leaves no filesystem artifacts, significantly complicating forensic recovery efforts.

Written in C++ using object-oriented programming, RemotePE uses a multithreaded architecture consisting primarily of two controller threads:

  • IChannelController for C2 communications
  • IMiddleController for command processing

The malware supports extensive post-compromise functionality through multiple command classes:

  • File system browsing and manipulation
  • Process creation and termination
  • Command execution
  • Configuration management
  • Dynamic DLL/plugin loading
  • ZIP compression and exfiltration
  • Sleep scheduling and persistence controls

One notable feature is its modular plugin system, which allows operators to dynamically load reflective DLL payloads into memory during operations. These plugins must function both as valid Windows DLLs and reflective shellcode payloads, enabling highly flexible post-exploitation workflows. RemotePE also implements secure file deletion functionality by repeatedly overwriting files seven times prior to deletion, behavior previously associated with Lazarus-linked malware families such as PondRAT and POOLRAT. All communications are encrypted using AES-GCM, compressed using Microsoft Cabinet compression APIs, and transmitted via JSON structures intentionally designed to resemble Microsoft cloud telemetry patterns.

Threat Actor Analysis

The tooling overlaps substantially with activity previously attributed to Lazarus subgroups associated with financially motivated operations conducted on behalf of North Korea. Researchers specifically identified similarities to campaigns tracked as AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces.

Operational patterns strongly support this attribution:

  • Heavy targeting of financial and cryptocurrency organizations
  • Shared infrastructure characteristics
  • Similar secure deletion methods
  • Shared RAT development patterns
  • Use of Namecheap shared hosting infrastructure
  • Actor-in-the-loop payload delivery models
  • Long-term persistence objectives

Researchers observed that successful payload delivery windows aligned closely with daytime working hours in Korea Standard Time (UTC+9), further supporting links to North Korean operational activity.

Unlike commodity malware operations focused on rapid monetization, this framework appears optimized for long-duration observation and stealthy persistence before transitioning to high-impact objectives such as:

  • Cryptocurrency theft
  • Financial fraud
  • Data exfiltration
  • Large-scale financial heists

Analyst Commentary

The RemotePE ecosystem highlights the continued maturation of Lazarus-linked intrusion tradecraft toward highly selective, long-duration operations designed to evade both automated detection pipelines and traditional forensic workflows. The combination of DPAPI-based environmental keying, reflective PE loading, direct syscall execution, ETW suppression, and memory-only payload deployment demonstrates a deliberate focus on operational survivability rather than rapid smash-and-grab monetization.

For defenders, this type of tooling presents a significant challenge because many traditional detection strategies rely heavily on static artifacts, file-based scanning, or commodity malware signatures. In this case, the actor minimizes usable disk artifacts while ensuring encrypted payloads are effectively useless outside the victim environment. Even recovered malware samples may provide limited intelligence value without corresponding DPAPI material from the compromised host.

The campaign also reinforces the growing importance of behavioral telemetry and multi-engine analysis approaches capable of identifying subtle indicators that may individually appear low-confidence. Memory-only loaders, reflective DLL execution, ETW tampering, syscall remapping, and anomalous DPAPI usage patterns can each generate weak or fragmented signals in isolation. Correlating these behaviors across multiple analytic engines and telemetry sources materially improves the likelihood of identifying stealth-focused intrusions before operational objectives are achieved.

Organizations in the financial, cryptocurrency, defense, and critical infrastructure sectors should treat stealth-oriented memory-only frameworks as a growing operational reality rather than an edge case. Threat actors increasingly prioritize persistence, intelligence collection, and delayed monetization over immediate disruptive activity, making early-stage detection and anomaly correlation critical components of modern defense strategies.

IOCs

PolySwarm has multiple samples associated with this activity.

 

DPAPILoader

4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874

aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039

159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3

 

Click here to view all samples of DPAPILoader in our PolySwarm portal.

 

RemotePELoader

7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68

 

Click here to view all samples of RemotePELoader in our PolySwarm portal.

 

RemotePE

37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef

6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d

62e040a32aac2d2faa8d2bffa2cf7ab662228cebf9bb78eaa0a633c0b729d119

710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8


Click here to view all samples of RemotePE in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Lazarus Group, RemotePE, RemotePELoader, North Korea cyber threat, cryptocurrency malware, DPAPILoader

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More