North Korea-linked Lazarus APT Group is using a stealthy memory-only RAT that leaves almost no forensic traces behind.
North Korea-linked APT group Lazarus has never been shy about its ambitions, the threat actor has been tied to some of the most audacious financial heists in recent memory, draining hundreds of millions from cryptocurrency exchanges and financial institutions over the past decade. But a newly detailed malware family suggests the group has quietly been refining its approach, trading noisy intrusions for something far more surgical: a remote access trojan that runs entirely in memory, leaving investigators with almost nothing to find.
Researchers at Fox-IT, an NCC Group subsidiary, published a detailed breakdown last week of a three-stage toolchain dubbed RemotePE, which they first encountered during an incident response engagement at an unnamed decentralized finance organization.
“This Lazarus subgroup overlaps with activity linked to AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces.” reads the report published by Fox-IT. “In one investigation, we observed that the actor had replaced ThemeForestRAT and PondRAT with a more sophisticated memory-only toolset.”
The attack followed a pattern increasingly common in Lazarus operations, social engineering via Telegram, with operatives posing as employees of a legitimate trading firm, scheduling fake meetings through spoofed Calendly and Picktime domains to gain initial access to a victim’s device.
What makes this campaign technically distinctive is what comes after. The infection chain moves through two loaders before delivering the final payload. The first, DPAPILoader, takes advantage of the Windows Data Protection API, a built-in OS mechanism that ties encryption keys to a specific user account, to decrypt and execute the next component.
“The three form a chain. DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API (DPAPI). RemotePELoader beacons to a C2 server and waits until it receives the next stage: RemotePE, a RAT executed entirely in memory and never written to disk, leaving no filesystem artifacts. At the time of writing, we have not found samples of RemotePELoader or RemotePE on VirusTotal.” continues the report. “The toolset’s environmental keying, memory-only execution, EDR evasion, and low forensic footprint suggest it is purpose-built for long-term observation campaigns.”
This design choice is deliberate and elegant from an operational security standpoint. Because DPAPI binds the encrypted payload to the victim machine’s cryptographic environment, uploading the DPAPILoader sample to a threat intelligence platform like VirusTotal is essentially useless, without the victim’s keys, the payload simply cannot be decrypted. Each deployment also produces a unique encrypted blob, meaning the same malware will have a different file hash across different victims, defeating signature-based detection.
The second-stage malware, RemotePELoader, is designed to stay hidden from security tools. Before contacting its command-and-control server, it removes security hooks placed by endpoint protection products and disables Windows event tracing, allowing the malware to operate with little or no visibility to defenders.
The final component, RemotePE itself, is a full-featured remote access trojan written in C++ that supports file operations, process management, plugin loading, and secure file deletion, that last feature using a seven-pass overwrite pattern consistent with other Lazarus tools, including PondRAT and POOLRAT. Fox-IT researchers obtained four samples showing incremental development between July 2023 and May 2024, suggesting the toolset was actively maintained over roughly a year.
“We obtained four RemotePE samples: three retrieved from active C2 servers and one recovered through forensic analysis. The C2 servers were identified during the incident response engagement or through fingerprinting.” continues the report. “Ordering the samples by PE compile timestamp reveals incremental changes across versions, primarily in the config loading mechanism and bot identification method, suggesting active development between mid-2023 and mid-2024.”
Perhaps as telling as the technical capabilities is the operational model behind them. When researchers emulated the RemotePELoader check-in protocol and established sessions with active C2 servers, payloads were not delivered automatically — a human operator on the other end manually approved each delivery. All six successful payload retrievals occurred during daytime hours in the UTC+9 timezone, consistent with Korean Standard Time and the working hours of threat actors based in North Korea.
“The toolset’s environmental keying, memory-only execution, EDR evasion, and low forensic footprint suggest it is purpose-built for long-term observation campaigns.” states Fox-IT, “This allows the actor to quietly maintain access over an extended period before moving to a high-impact final objective such as data theft or a large-scale financial heist, consistent with this actor’s known history.”
Neither RemotePELoader nor RemotePE had appeared on VirusTotal before Fox-IT’s publication — a striking detail that underscores the group’s discipline in reserving its most capable tools for targets worth the effort. For defenders, the researchers recommend focusing on host-based indicators, particularly DPAPI-encrypted blobs in unexpected directories and suspicious DLLs masquerading as legitimate Windows services. On the network side, DNS queries to known C2 domains and characteristic HTTP cookie fields can surface the activity, though the traffic is deliberately crafted to blend in with legitimate Microsoft communications.
“The DPAPILoader, RemotePELoader, and RemotePE toolset represents a deliberate effort to minimise forensic footprint. A RemotePELoader sample from disk uploaded to VirusTotal is useless without the victim’s DPAPI keys.” concludes the report. “Furthermore, by combining environmental keying via DPAPI with fully in-memory execution of the final payload, the actor ensures that forensic imaging of the disk will not yield recoverable artifacts of RemotePE.”
The researchers published YARA rules and indicators of compromise (IoCs) for this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Lazarus)