Lazarus Group has deployed RemotePE, a fully memory-resident trojan that is extremely hard for traditional antivirus and forensic tools to detect.Lazarus Group has deployed RemotePE, a fully memory-resident trojan that is extremely hard for traditional antivirus and forensic tools to detect.

North Korea’s Lazarus turns to fileless malware in new crypto attacks

For feedback or concerns regarding this content, please contact us at crypto.news@mexc.com

Cybersecurity analysts have discovered a new fileless remote access trojan (RAT), named RemotePE. It is being used by the Lazarus Group, a cybercrime group believed to be associated with North Korea, to target banks and crypto companies.

According to a recent analysis, this malware functions entirely in memory, making it nearly impossible to leave any footprints on the affected computer systems.

Lazarus Group leans on social engineering to defraud investors

The Lazarus Group begins the hack through social engineering techniques. They pose as employees of trading firms via Telegram. To do this, the actors use fake copies of Calendly and Picktime, which are widely used to schedule meetings.

After getting approval for a meeting, the chain of events proceeds until the first piece of malware is installed. This “human in the loop” method enables Lazarus operators to develop effective lures.

The malware operates through a well-coordinated three-stage chain that aims to reduce disk operations. First is DPAPILoader. This is a dynamic-link library (DLL), also known by its filename Iassvc.dll since November 2023.

The program uses the Windows Data Protection Application Programming Interface (DPAPI) to decrypt a payload stored on disk.

The decrypted payload is then passed to RemotePELoader, which creates an HTTP connection to the C2 at aes-secure[.]net. After this, it downloads and runs the last RemotePE stage in-memory.

To bypass EDR solutions, RemotePELoader uses Hell’s Gate techniques and ETW Patching to evade detection.

North Korea's Lazarus Group deploys fileless RemotePE trojan, targeting crypto and banks.Lazarus Group turns into silent crypto assassins. Source. X.

Finally, the main RemotePE RAT payload never comes into contact with the filesystem, maintaining low forensic visibility throughout the entire attack chain. This malware was first discovered in September 2025.

In the reported incident, a decentralized finance (DeFi) firm had its infrastructure compromised by three different RATs—RemotePE, PondRAT, and ThemeForestRAT—that eventually replaced one another.

Advanced tech and AI turn into traders’ worst nightmare

Earlier, crypto investors turned to AI and tech to streamline trading. Now, the same tools have fallen into hackers’ hands, causing them huge financial pains.

Environmental keying by DPAPI, memory-only execution, ETW patching, and Hell’s Gate make RemotePE nearly impossible to detect with traditional methods. Analysts at Fox-IT, an affiliate of NCC Group, have noted that these characteristics suggest the malware is designed to sustain itself in the long term to conduct reconnaissance before launching a strike, unlike typical disruptive malware attacks.

The Lazarus Group has already stolen about $577 million in crypto in the first four months of 2026. This accounts for 76% of all crypto thefts worldwide, despite just two major hacking incidents, according to blockchain analytics firm TRM Labs.

The percentage of crypto hacks attributable to North Korea has risen sharply. From single-digit figures in previous years to 64% in 2025 and 76% in 2026. Their record amount stolen is now at $6 billion since 2017. These funds allegedly finance the country’s weapons and nuclear development programs amid sanctions.

Hackers turn to AI to destabilize devs behind major tech entities

Cybersecurity experts have discovered a large-scale attack in which hackers targeted over 700 sites running the Ghost Content Management System, exploiting a critical SQL injection flaw. The cyberattacks gave attackers access to admin accounts’ usernames and passwords, enabling them to inject malware via JavaScript redirects into their ClickFix distribution channels.

The targeted platforms include academic institutions, AI endeavors, blockchain services, software-as-a-service vendors, cybersecurity research sources, news agencies, and fintech firms.

Victims who run into the fake CAPTCHA are asked to enter a Base64-encoded string into the Run dialog box. In this step, they can download a ZIP file containing a batch script. This batch script then runs a PowerShell command that will fetch either a signed DLL or JavaScript files from a remote server.

Earlier versions of the malware would run a DLL using the rundll32.exe. However, recent versions install an Inno Setup installer for an open-source version of the Electron application called Grape. Upon installation, the malware becomes persistent and polls the C2 domain web-telegram[.]ug, every 30 seconds.

The smartest crypto minds already read our newsletter. Want in? Join them.

World Cup Combo: Aim for 200x

World Cup Combo: Aim for 200xWorld Cup Combo: Aim for 200x

Combine up to 20 World Cup matches in one order

Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact crypto.news@mexc.com for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.

You May Also Like

The changing face of elder care in Malaysia — Sayed Mohammad Reza Yamani Sayed Umar

The changing face of elder care in Malaysia — Sayed Mohammad Reza Yamani Sayed Umar

JULY 10 — An elderly society is becoming increasingly prevalent in Malaysia at present. It is projected that the p...
Share
Malaymail2026/07/10 15:24
One Of Frank Sinatra’s Most Famous Albums Is Back In The Spotlight

One Of Frank Sinatra’s Most Famous Albums Is Back In The Spotlight

The post One Of Frank Sinatra’s Most Famous Albums Is Back In The Spotlight appeared on BitcoinEthereumNews.com. Frank Sinatra’s The World We Knew returns to the Jazz Albums and Traditional Jazz Albums charts, showing continued demand for his timeless music. Frank Sinatra performs on his TV special Frank Sinatra: A Man and his Music Bettmann Archive These days on the Billboard charts, Frank Sinatra’s music can always be found on the jazz-specific rankings. While the art he created when he was still working was pop at the time, and later classified as traditional pop, there is no such list for the latter format in America, and so his throwback projects and cuts appear on jazz lists instead. It’s on those charts where Sinatra rebounds this week, and one of his popular projects returns not to one, but two tallies at the same time, helping him increase the total amount of real estate he owns at the moment. Frank Sinatra’s The World We Knew Returns Sinatra’s The World We Knew is a top performer again, if only on the jazz lists. That set rebounds to No. 15 on the Traditional Jazz Albums chart and comes in at No. 20 on the all-encompassing Jazz Albums ranking after not appearing on either roster just last frame. The World We Knew’s All-Time Highs The World We Knew returns close to its all-time peak on both of those rosters. Sinatra’s classic has peaked at No. 11 on the Traditional Jazz Albums chart, just missing out on becoming another top 10 for the crooner. The set climbed all the way to No. 15 on the Jazz Albums tally and has now spent just under two months on the rosters. Frank Sinatra’s Album With Classic Hits Sinatra released The World We Knew in the summer of 1967. The title track, which on the album is actually known as “The World We Knew (Over and…
Share
BitcoinEthereumNews2025/09/18 00:02
Not a loophole: Singapore AI export controls let China tap US AI legally

Not a loophole: Singapore AI export controls let China tap US AI legally

American AI technology is reaching Chinese tech giants through a route that US export controls were never designed to close: Singapore. The city-state sits outside
Share
The Cryptonomist2026/07/10 14:46

Activate to Enjoy Special Perks

Activate to Enjoy Special PerksActivate to Enjoy Special Perks

Access 0 fees, premium support, and loss coverage.