Lazarus Group Escalates Attacks with Fileless RemotePE Trojan Targeting Crypto and Banks

The Lazarus Group has escalated operations against financial and cryptocurrency sectors by deploying RemotePE, a fileless in-memory RAT delivered via Telegram-based social engineering and fake scheduling links; the report outlines a three-stage loader chain, advanced evasion techniques (Hell’s Gate direct syscalls, ETW patching, process hollowing), identified C2 domains and artifacts, and estimates approximately $577M stolen in early 2026 (about $6B since 2017), recommending network blocking, behavioral detection, and hardening of messaging and Ghost CMS instances.