RemotePE: The Lazarus RAT that lives in memory
Essential information
- Published
- 25/05/2026 13:00
- Modified
- 25/05/2026 15:21
- Tags
- 2026-05-25 dpapiloader hellsgate pondrat poolrat remotepe remotepeloader themeforestrat
- Related entities
- 10 observables, 1 intrusion sets (apt), 20 techniques (mitre), 6 malware, 10 others
Description
A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.