In the realm of cybersecurity, a troubling new development has emerged as North Korea's Lazarus Group has developed a covert piece of malware. This new type of "RemotePE" fileless remote access tool is designed to infiltrate banks and cryptocurrency enterprises without leaving obvious traces on the victim's systems.
How do they gain trust?
The Lazarus Group employs complex social engineering techniques in their operations. They disguise themselves as employees of investment firms on platforms like Telegram, luring targets into accepting fake meeting invitations sent through systems like Calendly. This human-centric approach significantly increases the success rate of their attacks.
Cybersecurity experts point out: "The Lazarus Group utilizes social engineering to establish trust with victims, initiating the first step towards malware installation."
Why is this malware so elusive?
At the core of this operation is a dynamic link library (DLL) called DPAPILoader, which leverages Windows DPAPI to unlock a second payload. This payload is then extracted from a remote command and control server and loaded directly into system memory without writing to disk, allowing RemotePE malware to operate almost invisibly.
By utilizing advanced techniques such as Hell’s Gate and ETW Patching, RemotePELoader effectively bypasses traditional detection methods. A recent attack synchronized the infiltration of a DeFi News company's infrastructure by deploying three remote access tools (RemotePE, PondRAT, and ThemeForestRAT).
- RemotePE: Active in 2025-2026, targeting the crypto and banking sectors, with extremely high detection difficulty.
- PondRAT: Used in 2025, affecting DeFi News and financial sectors, with high detection difficulty.
- ThemeForestRAT: Deployed in 2025, high detection difficulty, targeting the financial sector.
Escalating Concerns and Economic Impact
Fox-IT's technical assessment confirms that RemotePE's unique reliance on memory operations makes it resistant to traditional antivirus tools. The report states that the Lazarus Group extracted up to $577 million in cryptocurrency by 2026, responsible for most of the cyber theft incidents at the beginning of the year.
According to data from TRM Labs: "North Korea-linked hackers stole $577 million in digital assets in just two incidents during the first four months of 2026."
North Korea's involvement in crypto crime accounted for 76% of global thefts in 2026, an increase from the previous year. Since 2017, the total stolen assets have reached $6 billion, suspected to fund its controversial weapons programs.
Meanwhile, reports have emerged of the use of artificial intelligence technology, indicating that cybercriminals are not only becoming smarter but also more technically proficient. This has led to data breaches across hundreds of websites, exploiting vulnerabilities in the Ghost content management system.
As the Lazarus Group continues its digital theft and the vulnerabilities in cybersecurity escalate, the situation remains increasingly dire.