RemotePE: The Lazarus RAT that lives in memory
A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.
AI Analysis
Technical Summary
RemotePE is a memory-resident remote access trojan deployed by a Lazarus subgroup from North Korea targeting financial and cryptocurrency sectors. It involves a three-stage malware chain: DPAPILoader decrypts and loads RemotePELoader via Windows DPAPI; RemotePELoader beacons to C2 servers to download RemotePE, which executes fully in memory without filesystem traces. The malware employs environmental keying, HellsGate technique for EDR evasion, ETW patching, and masquerades as Windows services for persistence. It supports comprehensive RAT functions including file operations, process management, command execution, and a plugin system for additional payloads. The threat infrastructure uses shared hosting on Namecheap and actor-in-the-loop delivery methods. No patches or vendor advisories are available, and no known exploits in the wild have been reported.
Potential Impact
The malware enables attackers to maintain stealthy, persistent access to targeted systems in financial and cryptocurrency organizations. Its memory-only execution and advanced evasion techniques reduce detection likelihood by endpoint security solutions. The RAT's capabilities allow full remote control including file and process manipulation and dynamic payload extension, posing significant risk to confidentiality, integrity, and availability of affected systems. However, no known active exploitation campaigns have been reported at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check vendor advisories for current remediation guidance. Due to the memory-only nature and advanced evasion techniques of RemotePE, traditional signature-based detection may be ineffective. Organizations should employ behavioral and memory forensic detection methods, monitor for suspicious service masquerading, and restrict use of DPAPI where possible. Incident response teams should be prepared to analyze memory dumps and network traffic for indicators of compromise related to this toolset.
Indicators of Compromise
- domain: file.name
- domain: akamaicloud.com
- domain: event.name
- hash: 23c2569a65870a9e412d98d5b3bdc554
- hash: 75a46b23825ce7aa4ca297d93450f4e2
- hash: 3b994549ab4fd9024b2f0155094d7aa43b70bb8f
- hash: 91def0a4dd9b35510d7f8897bc114f975a5d7e2b
- hash: 159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3
- hash: aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039
- hash: 37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef
- hash: 4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874
- hash: 7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68
- hash: 442f4abac74d844256e3ff60f929b358ded71881
- hash: 56f9b97fee195ed8dea39552eac288aa58cfaf48
- hash: bef8714787a76d33d74dc23e7c750e74b57f6f04
- domain: aes-secure.net
- domain: azureglobalaccelerator.com
- hash: 6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d
- hash: 62e040a32aac2d2faa8d2bffa2cf7ab662228cebf9bb78eaa0a633c0b729d119
- hash: 710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8
- url: https://docs.dissect.tools/en/stable
- url: https://docs.dissect.tools/en/stable/
- hash: 6c2b40c172a9c8706abc149ac72f5c509e4c5f56
- hash: 84bb3752307a088a6cdba4215aa9a993d34f353c
- domain: devicelinkintel.com
- domain: intelcloudinsights.com
- domain: msdeliverycontent.com
- domain: docs.dissect.tools
RemotePE: The Lazarus RAT that lives in memory
Description
A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
RemotePE is a memory-resident remote access trojan deployed by a Lazarus subgroup from North Korea targeting financial and cryptocurrency sectors. It involves a three-stage malware chain: DPAPILoader decrypts and loads RemotePELoader via Windows DPAPI; RemotePELoader beacons to C2 servers to download RemotePE, which executes fully in memory without filesystem traces. The malware employs environmental keying, HellsGate technique for EDR evasion, ETW patching, and masquerades as Windows services for persistence. It supports comprehensive RAT functions including file operations, process management, command execution, and a plugin system for additional payloads. The threat infrastructure uses shared hosting on Namecheap and actor-in-the-loop delivery methods. No patches or vendor advisories are available, and no known exploits in the wild have been reported.
Potential Impact
The malware enables attackers to maintain stealthy, persistent access to targeted systems in financial and cryptocurrency organizations. Its memory-only execution and advanced evasion techniques reduce detection likelihood by endpoint security solutions. The RAT's capabilities allow full remote control including file and process manipulation and dynamic payload extension, posing significant risk to confidentiality, integrity, and availability of affected systems. However, no known active exploitation campaigns have been reported at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check vendor advisories for current remediation guidance. Due to the memory-only nature and advanced evasion techniques of RemotePE, traditional signature-based detection may be ineffective. Organizations should employ behavioral and memory forensic detection methods, monitor for suspicious service masquerading, and restrict use of DPAPI where possible. Incident response teams should be prepared to analyze memory dumps and network traffic for indicators of compromise related to this toolset.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/"]
- Adversary
- Lazarus
- Pulse Id
- 6a1447f25db6bc082d5093cb
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainfile.name | — | |
domainakamaicloud.com | — | |
domainevent.name | — | |
domainaes-secure.net | — | |
domainazureglobalaccelerator.com | — | |
domaindevicelinkintel.com | — | |
domainintelcloudinsights.com | — | |
domainmsdeliverycontent.com | — | |
domaindocs.dissect.tools | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash23c2569a65870a9e412d98d5b3bdc554 | — | |
hash75a46b23825ce7aa4ca297d93450f4e2 | — | |
hash3b994549ab4fd9024b2f0155094d7aa43b70bb8f | — | |
hash91def0a4dd9b35510d7f8897bc114f975a5d7e2b | — | |
hash159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3 | — | |
hashaa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039 | — | |
hash37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef | — | |
hash4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874 | — | |
hash7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68 | — | |
hash442f4abac74d844256e3ff60f929b358ded71881 | — | |
hash56f9b97fee195ed8dea39552eac288aa58cfaf48 | — | |
hashbef8714787a76d33d74dc23e7c750e74b57f6f04 | — | |
hash6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d | — | |
hash62e040a32aac2d2faa8d2bffa2cf7ab662228cebf9bb78eaa0a633c0b729d119 | — | |
hash710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8 | — | |
hash6c2b40c172a9c8706abc149ac72f5c509e4c5f56 | — | |
hash84bb3752307a088a6cdba4215aa9a993d34f353c | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://docs.dissect.tools/en/stable | — | |
urlhttps://docs.dissect.tools/en/stable/ | — |
Threat ID: 6a1469cca5ae1af1aab5c217
Added to database: 5/25/2026, 3:25:00 PM
Last enriched: 5/25/2026, 3:39:55 PM
Last updated: 5/26/2026, 1:16:49 AM
Views: 106
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.