RemotePELoader

The malware implements the TartarusGate variant of the HellsGate technique to dynamically resolve Windows syscall numbers directly from ntdll.dll, bypassing userland API hooks commonly deployed by endpoint security products. Using direct syscalls, the malware remaps clean DLL copies from the Windows \KnownDlls object directory, effectively removing security hooks placed by EDR products.

After DPAPI decryption, the payload is additionally XORed with 0x8D before loading. This is consistent across all observed DPAPILoader samples.

The first is HellsGate (specifically the TartarusGate variant), a technique that dynamically resolves Windows syscall numbers at runtime.

`decrypt_c2_message` decodes a base64 blob, derives a key and nonce, and uses `AES.new(key, AES.MODE_GCM, nonce)` to decrypt the ciphertext from the `C2Message` structure.

network packets utilize HTTP cookie names that mimic the Microsoft ecosystem. For instance, headers incorporate fields like MSCC and MicrosoftApplicationsTelemetryDeviceId to appear authentic.

Before contacting its command-and-control server, it removes security hooks placed by endpoint protection products and disables Windows event tracing, allowing the malware to operate with little or no visibility to defenders.

DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API.

On the first run it sleeps until the configured wake-up timestamp and on subsequent iterations it sleeps for a random interval within the configured bounds.

The final component, a fully featured remote access trojan (RAT), is executed entirely in memory and provides attackers with extensive control over compromised systems.

On the first run it sleeps until the configured wake-up timestamp and on subsequent iterations it sleeps for a random interval within the configured bounds.

The script defines a `CabinetStream` structure with `compressed_buf` and uses `decompress_mszip` with zlib to decompress the command output after decryption.

It then initiates an encrypted HTTP communication loop with remote servers.

C2 communications occur over HTTP POST requests using specially crafted cookie fields designed to resemble legitimate Microsoft telemetry traffic.

The second-stage loader retrieves the final payload directly from attacker-controlled infrastructure.

All messages exchanged with the C2 server are AES-encrypted, except for the initial check-in response containing the session ID.

DPAPILoader uses the Windows Data Protection API (DPAPI) to decrypt its payload... each deployment produces a unique encrypted blob, meaning the payload hash differs across victims and evades hash-based detection.

RemotePELoader additionally patches the EtwEventWrite() function to disable Event Tracing for Windows (ETW) event generation by forcing the function to immediately return success without logging events.

Remote PELoader patches function EtwEventWrite() in the current process... Therefore, this patch causes the function to return zero immediately. As a result, endpoint security solutions fail to receive runtime process events.

The attack followed a pattern increasingly common in Lazarus operations, social engineering via Telegram, with operatives posing as employees of a legitimate trading firm, scheduling fake meetings through spoofed Calendly and Picktime domains to gain initial access to a victim’s device.