Full Report
Cybersecurity researchers have shed light on a cross-platform malware called RemotePE that has been put to use by the North Korea-linked Lazarus Group in attacks targeting financial and cryptocurrency organizations. RemotePE, per NCC Group subsidiary Fox-IT, is part of a multi-stage attack chain that involves two loaders tracked as DPAPILoader and RemotePELoader. "DPAPILoader decrypts and
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
* **Actor Name:** Lazarus Group
* **Origin:** North Korea (State-linked)
* **Associated Groups/Subgroups:** This specific campaign is linked to a subgroup focused on financial/cryptocurrency theft; related malware overlaps connect them to the operators of PondRAT and POOLRAT (SIMPLESEA).
## Activity Summary
The actor has been identified using a sophisticated, multi-stage attack chain to deploy a memory-only Remote Access Trojan (RAT) called **RemotePE**. Active development of this toolset was observed between mid-2023 and mid-2024. Recent operations involve the use of social engineering via Telegram to compromise employees at decentralized finance (DeFi) organizations, leading to stealthy, long-term observation campaigns.
## Tactics, Techniques & Procedures
* **Social Engineering:** Impersonating employees of trading companies on Telegram to schedule meetings.
* **Luring:** Use of fake meeting scheduling domains (Calendly and Picktime themes).
* **Defense Evasion:**
* **Memory-Only Execution:** RemotePE is never written to disk.
* **Hell’s Gate:** Used to bypass EDR/AV by invoking direct system calls.
* **ETW Patching:** Disabling Event Tracing for Windows to hide malicious activity.
* **Environmental Keying:** Using DPAPI to ensure payloads can only be decrypted on the intended victim machine.
* **Secure File Deletion:** Overwriting files seven times with constant bytes before deletion to prevent forensic recovery.
* **Multi-Stage Loading:** Chains involving `Iassvc.dll` (DPAPILoader) to decrypt subsequent stages.
## Targeting
* **Sectors:** Financial Services, Cryptocurrency, Decentralized Finance (DeFi).
* **Geography:** Global (implied by the nature of DeFi and cryptocurrency targeting).
* **Victims:** Unnamed DeFi organizations and their employees.
## Tools & Infrastructure
* **Malware Families:**
* **RemotePE:** A C++ based RAT executed entirely in memory.
* **DPAPILoader:** DLL-based loader using Windows DPAPI.
* **RemotePELoader:** Fetches the final RAT stage via HTTP.
* **PondRAT / ThemeForestRAT:** Associated malware found in similar intrusions.
* **POOLRAT (SIMPLESEA):** Related malware shared code patterns (file deletion logic).
* **Infrastructure:**
* aes-secure[.]net (C2 server)
* Fake Calendly and Picktime domains (Social engineering)
## Implications
The use of memory-only RATs and advanced evasion techniques like Hell’s Gate indicates a shift toward high-stealth, long-term observation. Lazarus is moving away from "noisy" attacks in favor of persistent access to high-value targets. This allows them to conduct extensive reconnaissance before executing major financial heists or data exfiltration, making detection significantly more difficult for standard EDR solutions.
## Mitigations
* **Memory Forensics:** Deploy security tools capable of scanning process memory and detecting unbacked executable code (e.g., reflective DLL injection).
* **Social Engineering Training:** Educate employees—especially in finance and crypto sectors—regarding unsolicited outreach on Telegram and LinkedIn, even if the contact appears to be a known professional.
* **Endpoint Hardening:** Implement strict monitoring for API calls associated with ETW patching and direct system call execution.
* **Network Monitoring:** Monitor for unauthorized outbound HTTP traffic to suspicious domains, particularly those mimicking legitimate SaaS platforms like Calendly.