Ravie LakshmananMay 25, 2026Endpoint Security / Threat Intelligence

Cybersecurity researchers have shed light on a cross-platform malware called RemotePE that has been put to use by the North Korea-linked Lazarus Group in attacks targeting financial and cryptocurrency organizations.

RemotePE, per NCC Group subsidiary Fox-IT, is part of a multi-stage attack chain that involves two loaders tracked as DPAPILoader and RemotePELoader.

"DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API (DPAPI)," security researchers Yun Zheng Hu and Mick Koomen said. "RemotePELoader beacons to a C2 server and waits until it receives the next stage: RemotePE, a RAT executed entirely in memory and never written to disk, leaving no filesystem artifacts."

RemotePE was first highlighted by the security vendor in September 2025 in connection with an attack targeting an unnamed organization in the decentralized finance (DeFi) sector, leading to the deployment of three malware families, including PondRAT, ThemeForestRAT, and RemotePE.