Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms

RemotePE is a cross-platform, memory-only remote access trojan (RAT) attributed to the North Korea-linked Lazarus Group and used in targeted campaigns against financial and cryptocurrency organizations. The attack chain uses a DPAPILoader DLL to decrypt and load a second-stage loader (RemotePELoader) which fetches and executes the RemotePE RAT in memory; the toolset includes EDR evasion techniques (e.g., Hell's Gate, ETW patching), environmental keying, and file-wiping behavior observed in related RATs. Fox-IT/F-IT analysts observed active development from mid-2023 to mid-2024 and note the toolset's low detection rate and suitability for long-term stealthy access to high-value targets.