287/69 Wednesday, May 27, 2026
Reports indicate that the Lazarus Group APT group has developed and deployed a new Remote Access Trojan (RAT) known as “RemotePE,” designed to operate entirely in the memory of compromised systems. Because the malware leaves almost no traces on disk, forensic analysis and retrospective investigation become significantly more difficult. Researchers from Fox-IT, a subsidiary of NCC Group, discovered the malware during an incident response investigation involving a decentralized finance (DeFi) organization. The Lazarus subgroup linked to this activity overlaps with threat clusters previously tracked under the names AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces.
Analysis revealed that the attackers used social engineering techniques through Telegram, impersonating employees of legitimate digital asset trading companies. Victims were lured into fake meetings using phishing domains that mimicked services such as Calendly and Picktime in order to gain initial access to target devices. The malware infection chain involved a three-stage toolset consisting of DPAPILoader, RemotePELoader, and RemotePE. DPAPILoader leverages the Windows Data Protection API (DPAPI) to decrypt and launch the next-stage component, while RemotePELoader communicates with a Command-and-Control (C2) server to retrieve the final payload. The final-stage malware, RemotePE, is executed directly in memory without being written to disk, significantly reducing the effectiveness of traditional file-based detection mechanisms.
RemotePE is a C++-based RAT featuring multiple capabilities, including file management, process control, plugin loading, and secure file deletion. Researchers identified several malware variants developed between July 2023 and May 2024, indicating active and continuous evolution of the toolkit. In addition, RemotePELoader was specifically engineered to evade security products by attempting to remove security hooks used by endpoint protection solutions and disabling Windows event tracing before contacting the C2 infrastructure. According to Fox-IT, the malware suite was designed to minimize forensic artifacts, maintain long-term persistence, and support intelligence gathering prior to data theft or large-scale financial attacks. The researchers also released YARA rules and Indicators of Compromise (IoCs) to assist defenders and system administrators with threat detection and incident response efforts.