The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Lazarus Expands Financial Espionage Operations With Memory-Resident RemotePE RAT

May 29, 2026 3:21:34 PM / by The Hivemind posted in Threat Bulletin, Lazarus Group, RemotePE, RemotePELoader, North Korea cyber threat, cryptocurrency malware, DPAPILoader

0 Comments

Verticals Targeted: Financial, Cryptocurrency
Related Threat Actors: Lazarus
Related Families: DPAPILoader, RemotePELoader, RemotePE

Executive Summary

Researchers identified a sophisticated Lazarus-linked malware ecosystem composed of DPAPILoader, RemotePELoader, and RemotePE, a chained toolset designed for stealth, persistence, and long-term access in high-value financial and cryptocurrency environments. The malware leverages DPAPI-based environmental keying, direct syscall techniques, ETW suppression, and memory-only payload execution to minimize forensic visibility and evade modern endpoint defenses.

Read More
All posts

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More