{ "name": "RemotePE: The Lazarus RAT that lives in memory", "slug": "remotepe-the-lazarus-rat-that-lives-in-memory", "description": "A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.", "published": "2026-05-25T11:00:34+00:00", "created_at": "2026-05-25T11:00:34+00:00", "modified_at": "2026-05-25T13:21:45+00:00", "created_at_opencti": "2026-05-25T11:00:34+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-05-25", "dpapiloader", "hellsgate", "pondrat", "poolrat", "remotepe", "remotepeloader", "themeforestrat" ], "related_entities": { "observables": [ { "id": "", "name": "https://docs.dissect.tools/en/stable/" }, { "id": "", "name": "https://docs.dissect.tools/en/stable" }, { "id": "", "name": "7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68" }, { "id": "", "name": "62e040a32aac2d2faa8d2bffa2cf7ab662228cebf9bb78eaa0a633c0b729d119" }, { "id": "", "name": "6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d" }, { "id": "", "name": "37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef" }, { "id": "", "name": "710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8" }, { "id": "", "name": "aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039" }, { "id": "", "name": "4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874" }, { "id": "", "name": "159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3" } ], "malware": [ { "id": "d13c5808-6c18-48d6-93ed-3a1d8dcc76e2", "name": "PondRAT", "slug": "pondrat" }, { "id": "7b2e25ba-9448-4d9c-88c2-0f9f363c23b0", "name": "POOLRAT", "slug": "poolrat" }, { "id": "legacy:malware:4c704e5fca3d4678", "name": "RemotePELoader", "slug": "remotepeloader" }, { "id": "legacy:malware:f01840c4c86b041a", "name": "DPAPILoader", "slug": "dpapiloader" }, { "id": "legacy:malware:79864aface467907", "name": "RemotePE", "slug": "remotepe" }, { "id": "legacy:malware:4e092b06a984101a", "name": "ThemeForestRAT", "slug": "themeforestrat" } ], "intrusion_sets": [ { "id": "d84018a2-9bb1-45dd-94a2-38a8deb013c0", "name": "Lazarus", "slug": "lazarus" } ], "attack_patterns": [ { "id": "a706defa-5a99-4a26-b1be-ac6c1fc20b92", "name": "T1562.006" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "32817170-4c07-427e-b8a5-80a733ae2550", "name": "T1497" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb", "name": "T1132" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "31d29704-da1c-47ea-b93f-76d368813bdf", "name": "T1560" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "b7ce10bf-26cb-4791-a74f-491b039516dc", "name": "T1480.001" }, { "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d", "name": "T1574.002" }, { "id": "14ea0786-b57c-4a30-8e4e-46944d17eb18", "name": "T1036.004" }, { "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58", "name": "T1562.001" }, { "id": "b15c00da-c412-4429-900c-659de612baf5", "name": "T1543.003" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818", "name": "T1027.002" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" } ], "others": [ { "id": "", "name": "Finance" }, { "id": "", "name": "file.name" }, { "id": "", "name": "aes-secure.net" }, { "id": "", "name": "intelcloudinsights.com" }, { "id": "", "name": "event.name" }, { "id": "", "name": "akamaicloud.com" }, { "id": "", "name": "azureglobalaccelerator.com" }, { "id": "", "name": "devicelinkintel.com" }, { "id": "", "name": "msdeliverycontent.com" }, { "id": "", "name": "docs.dissect.tools" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/6a1447f25db6bc082d5093cb", "https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/" ] }