Lazarus Deploys Memory-Only RAT Against Crypto Firms, Stealing $577M

Security researchers at Fox-IT have exposed a sophisticated new malware toolset used by North Korea's Lazarus Group to target cryptocurrency exchanges and DeFi platforms. The cross-platform malware, called RemotePE, executes entirely in memory and leaves no trace on disk—making it exceptionally difficult to detect and analyze.

According to TRM Labs, Lazarus has stolen $577 million in cryptocurrency during the first four months of 2026 alone. That figure represents 76% of all crypto thefts worldwide this year, despite involving just two major incidents.

How the Attack Chain Works

The intrusion typically begins with social engineering. Lazarus operators approach employees at cryptocurrency firms through Telegram, posing as colleagues from legitimate trading companies. They schedule meetings using fake Calendly and Picktime domains, then direct targets to malicious infrastructure.

The infection chain uses three distinct stages:

Stage 1 - DPAPILoader A DLL named "Iassvc.dll" decrypts and loads an encrypted payload from disk using Windows Data Protection API (DPAPI). Fox-IT traced the earliest artifact of this loader to November 2023.

Stage 2 - RemotePELoader The second-stage loader contacts the command-and-control server at aes-secure[.]net via HTTP. It fetches the core module and executes it directly in memory. To evade detection, the loader implements Hell's Gate and Event Tracing for Windows (ETW) patching.

Stage 3 - RemotePE The final payload is a full-featured C++ remote access trojan that never touches the disk. Development timestamps suggest the malware was built between mid-2023 and mid-2024, with the first compilation dated July 4, 2023.

RemotePE Capabilities

The RAT supports six command categories that give operators extensive control over compromised systems:

• C2 management - Reconfigure command-and-control endpoints
• Directory operations - Browse filesystems and manage DLL modules
• File operations - Read, write, and securely delete files (overwrites 7 times before deletion)
• Process control - Enumerate, create, and terminate processes
• Sleep/exit - Manage beacon intervals and terminate implant
• Ping - Verify connectivity to C2 infrastructure

The seven-pass file overwrite is notable—it suggests Lazarus operators are actively trying to prevent forensic recovery of exfiltrated data.

Evasion Techniques

RemotePE's environmental keying and memory-only execution make it particularly difficult to detect. Neither RemotePELoader nor RemotePE appeared on VirusTotal prior to Fox-IT's public disclosure, indicating Lazarus reserved these tools for high-value targets rather than deploying them broadly.

The toolset's low forensic footprint suggests it was designed for long-term observation campaigns—exactly what you'd expect when the goal is identifying cryptocurrency wallet infrastructure or monitoring high-value transactions.

This approach differs from the supply chain attacks targeting npm and PyPI we covered in February, where Lazarus cast a wider net using poisoned packages. RemotePE represents the precision instrument used after initial access is established.

Why Cryptocurrency Firms Keep Getting Hit

North Korean cyber operations have become the regime's primary revenue source, and cryptocurrency represents the easiest target. DeFi platforms often prioritize speed-to-market over security, and the irreversibility of blockchain transactions means stolen funds rarely return.

The $577 million figure is particularly striking because it comes from concentrated attacks on a small number of targets. Compare that to the Verizon DBIR 2026 findings showing ransomware gangs generating similar totals across thousands of victims. Lazarus achieves comparable returns with far fewer operations.

For security teams at crypto firms, this pattern matters. You're not defending against opportunistic attackers scanning for low-hanging fruit—you're defending against a nation-state with unlimited patience and a specific interest in your organization.

Detection and Defense

RemotePE's memory-only execution makes traditional file-based detection ineffective. Focus instead on:

1. Behavioral monitoring - Flag unusual processes making HTTP connections to unfamiliar domains, especially those using DPAPI
2. Network telemetry - Monitor for connections to known Lazarus infrastructure (the aes-secure[.]net domain is now burned)
3. Endpoint protection - Enable protections against Hell's Gate and ETW patching techniques
4. Social engineering awareness - Train employees to verify recruiter identities through official channels before installing any software

The initial access vector—fake recruitment outreach via Telegram—mirrors patterns seen in previous Lazarus ClickFix campaigns. Anyone receiving unsolicited job offers involving cryptocurrency or blockchain should treat the interaction as potentially hostile.

Indicators of Compromise

Type	Value
C2 Domain	aes-secure[.]net
Loader	Iassvc.dll
Technique	DPAPI decryption, Hell's Gate, ETW patching
Targets	DeFi platforms, cryptocurrency exchanges, financial institutions

Organizations in the cryptocurrency space should assume they're already being targeted. For a deeper understanding of North Korean cyber operations, our guide to Lazarus group tactics covers the historical context behind these campaigns.