Advanced Lazarus Memory-Only Toolset Deeply Analyzed by Fox-IT

## Executive Summary Security researchers identified a sophisticated Lazarus-linked cyber espionage campaign targeting international financial entities that uses a three-stage, memory-only framework (DPAPILoader -> RemotePELoader -> RemotePE). The operation leverages DPAPI-based environmental keying for staged decryption, HellsGate remapping and ETW patching to evade EDR, in-memory remote access with plugin support and secure file destruction, and Namecheap-hosted infrastructure with Microsoft-like HTTP cookie fields; defenders are advised to focus on host-based behavioral detection and targeted network hunting for IOCs such as lassvc.dll service names, DPAPI-encrypted blobs, and SNI/DNS artifacts.