Researchers from Fox-IT (an NCC Group division) have published a detailed analysis of the multi-stage malicious framework RemotePE — a remote access trojan which, according to the researchers, is used by the North Korea–linked group Lazarus Group to attack financial and cryptocurrency organizations. The key feature of RemotePE is that it runs entirely in RAM without touching disk, which makes it practically invisible to traditional endpoint protection tools. Organizations in the DeFi, cryptocurrency and financial services sectors should immediately check their infrastructure for indicators of compromise associated with this campaign.
Multi-stage infection chain
According to Fox-IT, the RemotePE framework consists of three consecutive stages, each performing a specific function in the payload delivery chain:
- DPAPILoader (file “Iassvc.dll”) — the first loader, which decrypts and loads the encrypted payload from disk using the native Windows mechanism — Data Protection API (DPAPI). The earliest discovered DPAPILoader artifact dates back to November 2023.
- RemotePELoader — the decrypted second-stage payload, which establishes an HTTP connection to the command server, downloads the main module and launches it in memory.
- RemotePE — the final remote access trojan, written in C++, which receives instructions from the command server and runs exclusively in RAM, leaving no traces in the file system.
The use of DPAPI for decryption is a deliberate choice: the encrypted payload is bound to a specific machine and user account, making it impossible to decrypt it on another host and significantly complicating analysis in isolated environments.
Defense evasion techniques
Before loading the final module, RemotePELoader employs several detection-evasion techniques. As the researchers report, the loader uses the Hell’s Gate method — a direct system call technique that allows it to bypass user-mode hooks installed by EDR-class solutions. In addition, RemotePELoader patches the Event Tracing for Windows (ETW) mechanism, neutralizing telemetry that many monitoring tools rely on.
The combination of fileless execution, environment binding via DPAPI, EDR evasion and ETW suppression forms a comprehensive set of anti-detection measures. According to Fox-IT, neither RemotePELoader nor RemotePE had been uploaded to VirusTotal prior to the publication of the report — an indirect indicator that the tool was used selectively against a limited number of targets.
Capabilities of the RemotePE trojan
The final RemotePE module is a fully featured remote access trojan supporting six categories of commands:
- C2 server configuration management (retrieval and modification)
- Working directory and DLL module management (registration, unloading, enumeration)
- File operations
- Process management (enumeration, creation, termination by ID)
- State management (entering a sleep mode for a specified interval or exiting)
- Connectivity checks with the server (ping)
The file deletion mechanism is particularly noteworthy: before deletion, each file is overwritten with constant bytes seven times, then renamed, and only after that removed. According to the researchers, this seven-pass overwrite pattern is identical to behavior previously observed in PondRAT and POOLRAT (also known as SIMPLESEA) — tools that are attributed to the same activity cluster.
Campaign context and attribution
Fox-IT first mentioned RemotePE in September 2025 in the context of an attack on an unnamed organization in the decentralized finance (DeFi) sector. In that incident, three malware families were reportedly deployed: PondRAT, ThemeForestRAT and RemotePE.
The initial intrusion vector was social engineering. The attackers contacted an employee of the targeted organization via Telegram, posing as an employee of a trading company, and scheduled a meeting using spoofed domains impersonating the Calendly and Picktime services.
Fox-IT researchers obtained four RemotePE samples, the analysis of which points to active development of the trojan from mid-2023 to mid-2024. The earliest sample has a timestamp of 4 July 2023.
Important caveat: attribution of this activity to the Lazarus group is based on a single research source — Fox-IT. As of the time of publication, there is no independent confirmation of this link from government agencies or other research organizations. Nevertheless, the overlap in file deletion patterns with previously documented tools from this cluster and the characteristic focus on the cryptocurrency sector make this assessment well-founded.
Indicators of compromise
Based on the published analysis, the following network indicator is available:
- C2 domain: aes-secure[.]net — used by RemotePELoader to download the final module over HTTP
Security recommendations
Given the fileless nature of RemotePE and the techniques used for evasion, standard security controls may prove insufficient. Recommended measures:
- Network monitoring: add the aes-secure[.]net domain to blocklists at the DNS and proxy levels. Configure alerts for HTTP connections to this domain.
- DPAPI monitoring: track anomalous CryptUnprotectData calls from unusual processes — this may indicate DPAPILoader activity. Pay attention to DLLs named “Iassvc.dll” being loaded from non-standard locations.
- Protection against ETW patching: use solutions capable of detecting runtime modification of ETW providers. A number of modern EDR platforms offer this functionality.
- In-memory behavior monitoring: deploy or strengthen tools for detecting fileless threats, including analysis of anomalous memory allocation patterns and direct system calls (characteristic of Hell’s Gate).
- Countering social engineering: conduct targeted awareness training for employees working with crypto assets about contact schemes via Telegram that use fake domains for scheduling meetings.
- Retrospective analysis: review network logs starting from November 2023 for any connections to the specified C2 domain.
The RemotePE framework demonstrates deliberate investment in tooling for long-term stealthy presence in the infrastructure of financial organizations. Its low detection rate and selective use indicate that this toolset is reserved for high-value targets. Organizations in the cryptocurrency and financial sectors should prioritize reviewing network logs for connections to aes-secure[.]net, strengthening monitoring of anomalous DPAPI operations, and ensuring that their EDR solutions can detect direct system call techniques and ETW patching.
