RemotePE
RemotePE is a Lazarus-linked final-stage remote access trojan (RAT) written in C++ that executes entirely in memory and is not written to disk, leaving minimal or no filesystem artifacts. It has been reported by Fox-IT/NCC Group as part of a three-stage malware framework used against financial and cryptocurrency organizations, including an incident at a decentralized finance entity. In the observed chain, DPAPILoader decrypts and loads RemotePELoader using Windows DPAPI, and RemotePELoader then retrieves and reflectively loads RemotePE from command-and-control infrastructure, often in an apparent actor-in-the-loop delivery model.
RemotePE is described as a fully featured, multithreaded RAT with capabilities including file operations, command execution, process creation and termination, configuration management, sleep scheduling, ZIP/compressed data handling, exfiltration, and dynamic loading of reflective DLLs or plugins at runtime. Its communications are encrypted with AES-GCM, and reporting notes use of JSON structures and HTTP traffic crafted to resemble Microsoft telemetry. Related reporting also describes supporting stages using direct syscall techniques such as HellsGate/TartarusGate, remapping clean DLLs from KnownDlls to remove userland hooks, and patching EtwEventWrite() to suppress ETW logging before delivery of the final implant.
RemotePE includes secure deletion functionality that overwrites files seven times before renaming/deleting them, a behavior noted as consistent with other Lazarus-associated malware such as PondRAT and POOLRAT. Researchers reported overlap between this activity and clusters tracked as AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces, with operational patterns and delivery timing assessed as consistent with a North Korean nexus. The toolset is characterized as optimized for stealthy, long-duration access preceding objectives such as cryptocurrency theft, financial fraud, data exfiltration, and large-scale financial heists.
High-confidence indicators and related artifacts mentioned in the reporting include the event name 554D5C1F-AABE-49E4-AB57-994D22ECED28 used by RemotePE, and associated RemotePE/RemotePELoader C2 domains including livedrivefiles.com, aes-secure.net, azureglobalaccelerator.com, msdeliverycontent.com, akamaicloud.com, intelcloudinsights.com, and devicelinkintel.com.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Lazarus Group Expands Malware Arsenal With PondRAT, ThemeForestRAT, and RemotePE
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniquesThe malware supports extensive post-compromise functionality through multiple command classes: ... Command execution ...
IConsole ... Function ID 2 Execute a command and return its output
The first is HellsGate (specifically the TartarusGate variant), a technique that dynamically resolves Windows syscall numbers at runtime... Using these direct syscalls, RemotePELoader iterates the Process Environment Block’s module list and remaps each DLL...
“RemotePE also implements a plugin system that allows the operator to dynamically register DLL payloads at runtime.”
Persistence
2 techniquesIProcess ... 3 Create a process 4 Create a process as a user
Privilege Escalation
2 techniquesIProcess ... 3 Create a process 4 Create a process as a user
Stealth
7 techniquesThe first is HellsGate (specifically the TartarusGate variant), a technique that dynamically resolves Windows syscall numbers at runtime.
`decrypt_c2_message` decodes a base64 blob, derives a key and nonce, and uses `AES.new(key, AES.MODE_GCM, nonce)` to decrypt the ciphertext from the `C2Message` structure.
network packets utilize HTTP cookie names that mimic the Microsoft ecosystem. For instance, headers incorporate fields like MSCC and MicrosoftApplicationsTelemetryDeviceId to appear authentic.
Before contacting its command-and-control server, it removes security hooks placed by endpoint protection products and disables Windows event tracing, allowing the malware to operate with little or no visibility to defenders.
RemotePE also implements secure file deletion functionality by repeatedly overwriting files seven times prior to deletion, behavior previously associated with Lazarus-linked malware families such as PondRAT and POOLRAT.
On the first run it sleeps until the configured wake-up timestamp and on subsequent iterations it sleeps for a random interval within the configured bounds.
It filters out legitimate Microsoft Cabinet files by checking for the MSCF magic bytes and decrypts remaining files larger than 50 KiB using DPAPI before reflective loading through the open-source libpeconv library.
Discovery
3 techniquesThe malware supports extensive post-compromise functionality through multiple command classes: ... Process creation and termination ...
RemotePE supports various commands, including C2 configuration management, file operations, process manipulation, and self-management.
Collection
1 techniqueThe malware supports extensive post-compromise functionality through multiple command classes: ... ZIP compression and exfiltration
Command and Control
5 techniquesThe script defines a `CabinetStream` structure with `compressed_buf` and uses `decompress_mszip` with zlib to decompress the command output after decryption.
It then initiates an encrypted HTTP communication loop with remote servers.
C2 communications occur over HTTP POST requests using specially crafted cookie fields designed to resemble legitimate Microsoft telemetry traffic.
RemotePELoader, the second-stage component responsible for retrieving the final RemotePE RAT from attacker-controlled infrastructure... Once the operator initiates payload delivery, the server returns an AES-GCM encrypted and Base64-encoded PE payload that is decrypted and reflectively loaded directly into memory.
All messages exchanged with the C2 server are AES-encrypted, except for the initial check-in response containing the session ID.
Exfiltration
1 techniqueThe malware supports extensive post-compromise functionality through multiple command classes: ... ZIP compression and exfiltration
Impact
2 techniquesDPAPILoader uses the Windows Data Protection API (DPAPI) to decrypt its payload... each deployment produces a unique encrypted blob, meaning the payload hash differs across victims and evades hash-based detection.
Other
2 techniquesThe malware employs evasion techniques like Hell's Gate and patches Event Tracing for Windows (ETW) to avoid detection.
The attack followed a pattern increasingly common in Lazarus operations, social engineering via Telegram, with operatives posing as employees of a legitimate trading firm, scheduling fake meetings through spoofed Calendly and Picktime domains to gain initial access to a victim’s device.
IOCs tracked for this family
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A memory-only remote access trojan/backdoor that runs entirely in RAM, handles outbound C2 and operator commands, securely deletes files, and supports runtime plugin DLL registration.
A fully memory-resident remote access trojan with encrypted C2, multithreaded command handling, file and process operations, command execution, configuration management, plugin/DLL loading, compression and exfiltration, and secure file deletion. It is designed for long-term stealthy access in financial and cryptocurrency environments.
RemotePE is a remote access trojan designed to operate entirely in memory for stealthy, long-term access. It is delivered through a multi-stage chain, communicates with a C2 server, supports file and process operations, uses evasion techniques such as Hell's Gate and ETW patching, and includes secure file deletion behavior.
A memory-only remote access trojan used by Lazarus that executes entirely in memory and avoids writing the final payload to disk. It supports file operations, process management, plugin loading, and secure file deletion, and is designed for stealth, EDR evasion, and long-term observation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.