Latest Threats

RemotePE: In-Memory Lazarus RAT Delivered via DPAPILoader and RemotePELoader Multi-Stage Chain — Threadlinqs Intelligence

Threat ID: TL-2026-0722 · Severity: HIGH · Status: ACTIVE · Category: MALWARE

Attribution: Lazarus Group (financially-motivated subgroup) · North Korea · FINANCIAL

RemotePE is a sophisticated multithreaded C++ remote access trojan attributed to North Korea's Lazarus Group, executed entirely in system memory with no filesystem artifacts. It is delivered through a

RemotePE is the apex payload of a memory-only toolset that Fox-IT (Mick Koomen, Yun Zheng Hu) attributes to a financially-motivated subgroup of the North Korean Lazarus Group (overlapping with AppleJeus / Citrine Sleet / Gleaming Pisces / UNC4736). The actor replaced its older PondRAT and ThemeForestRAT tooling with a purpose-built, low-forensic-footprint chain designed for long-term covert observation of decentralized-finance (DeFi), trading, and cryptocurrency organizations before high-impact financial theft. The intrusion typically begins with highly tailored social engineering over Telegram, where operators impersonate employees of a trading firm and schedule meetings using fraudulent Calendly- and Picktime-themed scheduling domains to deliver an initial payload (a then-zero-day Chrome exploit is suspected for some intrusions). Early footholds use PerfhLoader to drop PondRAT (a stripped-down POOLRAT/SIMPLESEA variant) and load ThemeForestRAT directly into memory; supporting tools include a Chrome cookie/credential stealer, a keylogger and screenshot utility, Mimikatz, and FRPC/MidProxy/Proxy Mini tunnelers. After roughly three months of access, the operators clean up and deploy the more sophisticated RemotePE chain against the highest-value hosts. Stage 1, DPAPILoader, is a DLL (observed as Iassvc.dll, sspicli.dll, wmiclnt.dll) masquerading as the Windows Internet Authentication Service. It scans C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US*.* for Microsoft Cabinet files (magic 4D 53 43 46), then decrypts the next stage using Windows DPAPI plus an XOR (0x8D) layer and reflectively loads it via libpeconv. Because DPAPI keys are unique per victim, the encrypted blobs cannot be analyzed off-host (e.g., on VirusTotal) without the victim's keys -- an environmental-keying defense against sandboxing. Persistence is via a malicious service DLL under svchost.exe or DLL sideloading. Stage 2, RemotePELoader, is a C2 beacon. It resolves syscalls with HellsGate/TartarusGate (NtOpenSection, NtMapViewOfSection, NtUnmapViewOfSection, NtProtectVirtualMemory, NtClose), remaps DLLs from \KnownDlls to unhook EDR, and patches ETW by overwriting EtwEventWrite with 'XOR RAX,RAX; RET'. Its small (<20 KiB) DPAPI-encrypted config holds up to three C2 URLs, proxy settings, user-agent strings, and sleep/reconnect timers. C2 is HTTP POST over TLS with cookie-based authentication (fields including MSCC, MicrosoftApplicationsTelemetryDeviceId carrying the bot ID, MSFPC, HASH, LV, V, LU, at_check/ai_session) and AES-GCM payload encryption keyed by a SplitMix64-seeded Mersenne Twister PRNG; each message is uint64 seed + 16-byte auth tag + ciphertext. Stage 3, RemotePE, is a multithreaded, object-oriented C++ RAT run only in memory. An IChannelController thread handles C2 while an IMiddleController thread executes commands, with an external named-event trigger (GUID 554D5C1F-AABE-49E4-AB57-994D22ECED28) for out-of-band activation. RTTI-based command classes provide configuration control (IConfigProfile), console/command execution and module management (IConsole), file/drive enumeration with secure 7-pass overwrite deletion and ZIP archival (IFileExplorer), process management (IProcess), sleep/exit scheduling (ITimer), and a no-op ping (IPing). It supports a plugin system of dual-format 'shellcodified DLLs' and compresses output with MSZIP via cabinet.dll. Delivery is actor-in-the-loop: operators manually push the payload, and observed delivery windows cluster in UTC+9 (KST) daytime, reinforcing the DPRK attribution. C2 infrastructure is hosted on Namecheap shared hosting, defeating naive IP-based blocking.

MITRE ATT&CK Techniques

T1583 Acquire Infrastructure; T1583.003 Acquire Infrastructure; T1587.001 Develop Capabilities; T1566 Phishing; T1566.003 Phishing; T1189 Drive-by Compromise; T1106 Native API; T1129 Shared Modules; T1204 User Execution; T1543.003 Create or Modify System Process; T1574.001 Hijack Execution Flow; T1574.002 Hijack Execution Flow; T1480.001 Execution Guardrails; T1562.001 Impair Defenses; T1562.006 Impair Defenses; T1620 Reflective Code Loading; T1055 Process Injection; T1140 Deobfuscate/Decode Files or Information; T1027 Obfuscated Files or Information; T1036.004 Masquerading; T1070.004 Indicator Removal; T1003.001 OS Credential Dumping; T1555.003 Credentials from Password Stores; T1056.001 Input Capture; T1539 Steal Web Session Cookie; T1083 File and Directory Discovery; T1057 Process Discovery; T1082 System Information Discovery; T1560.001 Archive Collected Data; T1113 Screen Capture; T1005 Data from Local System; T1071.001 Application Layer Protocol; T1573.001 Encrypted Channel; T1573.002 Encrypted Channel; T1090 Proxy; T1105 Ingress Tool Transfer; T1132.001 Data Encoding; T1041 Exfiltration Over C2 Channel; T1657 Financial Theft

Weaknesses (CWE)

CWE-506, CWE-1188

Target sectors: financial, cryptocurrency, decentralized-finance, trading, investment

Target regions: Global, North America, Europe, Asia

References

Detections & IOCs

This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 31 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.

MALWARE, HIGH, threat intelligence, cybersecurity, T1583, T1583.003, T1587.001, T1566, T1566.003, T1189, T1106, T1129, T1204, T1543.003

Threadlinqs Intelligence — Real-Time Threat Detection Platform

Latest Threats

🔄 Threat Comparison