Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz

Oracle WebLogic Vulnerability Under Active Attack

June 2, 2026
Can-AI-Replace-SOC-Analysts-The-Role-of-Humans-in-AI-Driven-Security-Operation

Can AI Replace SOC Analysts? The Role of Humans in AI-Driven Security Operations

June 3, 2026

Lazarus Group Deploys Multi Stage RemotePE Malware in Stealth Financial Attacks – Active IOCs

Severity

High

Analysis Summary

Cybersecurity researchers have uncovered a sophisticated cross-platform malware framework called RemotePE, which has been linked to the North Korean state-sponsored Lazarus Group and used in attacks against financial institutions and cryptocurrency organizations. According to research, the malware is deployed through a multi-stage infection chain involving two loaders, DPAPILoader and RemotePELoader, before ultimately delivering the RemotePE remote access trojan (RAT).

The attack begins with targeted social engineering. In a documented case involving a decentralized finance (DeFi) organization, attackers impersonated employees of a trading company on Telegram and lured victims to fraudulent Calendly and Picktime websites. Once a device was compromised, the malware execution chain was initiated.

The first stage, DPAPILoader, decrypts an encrypted payload stored on disk using the Windows Data Protection API (DPAPI). This payload is then loaded into memory as RemotePELoader, which contacts a command-and-control (C2) server to retrieve the final malware component. RemotePELoader employs advanced evasion techniques, including Hell’s Gate and Event Tracing for Windows (ETW) patching, to avoid detection by security solutions.

The final payload, RemotePE, is a memory-resident RAT written in C++ that never touches the disk, significantly reducing forensic evidence and detection opportunities. It communicates with a C2 server and supports a range of capabilities, including configuration management, file operations, process creation and termination, DLL management, system reconnaissance, and remote command execution. Notably, its file deletion functionality securely overwrites files seven times before deleting them, a behavior previously observed in Lazarus-associated malware families such as PondRAT and POOLRAT.

Analysis of multiple samples indicates that RemotePE was actively developed between mid-2023 and mid-2024. Researchers assess the malware as a highly stealthy tool designed for long-term persistence, intelligence gathering, and covert access. Its memory-only execution, low detection rates, and advanced evasion mechanisms suggest it is reserved for high-value targets, particularly within the financial and cryptocurrency sectors, where Lazarus has historically conducted espionage and financially motivated operations.

Impact

  • Financial Loss
  • Credential Theft
  • Operational Disruption
  • Sensitive Data Exfiltration
  • Unauthorized Remote Access

Indicators of Compromise

Domain Name

  • aes-secure.net

  • azureglobalaccelerator.com

  • msdeliverycontent.com

  • intelcloudinsights.com

  • devicelinkintel.com

MD5

  • 40c45ad6fef563af8a73dd48a38dc8ba

  • 75a46b23825ce7aa4ca297d93450f4e2

  • 23c2569a65870a9e412d98d5b3bdc554

  • 85766786fd00957737f1c88632ab9e0d

  • 557551f8468b55e64af8969e71f9246f

SHA-256

  • 4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874
  • aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039
  • 159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3
  • 7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68
  • 710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8

SHA1

  • 81c744562d568a0e8a6938df0abc5fba7cfcb3b4
  • 3b994549ab4fd9024b2f0155094d7aa43b70bb8f
  • 91def0a4dd9b35510d7f8897bc114f975a5d7e2b
  • 3142704d014ed89d1b4d538b6aa796bd371b6990
  • 2eaefd5a62a3a0d0181f1bee5a5aa0979fa51cf4

Remediation

  • Enforce multi-factor authentication (MFA) to reduce risk of compromised credentials
  • Implement strict email and messaging security controls to block social engineering attempts
  • Restrict execution of unknown or unsigned binaries using application allowlisting
  • Monitor PowerShell, WMI, and scripting activity for suspicious behavior
  • Deploy endpoint detection and response (EDR) with memory forensics capability
  • Block and monitor malicious domains and C2 infrastructure using threat intelligence feeds
  • Enable logging and alerting for DPAPI usage and credential access events
  • Apply least privilege access to limit lateral movement opportunities
  • Regularly patch operating systems and applications to close exploitation gaps
  • Segment networks to prevent malware spreading across critical systems
  • Use behavior-based detection to identify fileless and in-memory malware activity
  • Monitor outbound HTTP/HTTPS traffic for unusual beaconing patterns
  • Conduct phishing awareness training to reduce social engineering success
  • Harden endpoint security by disabling unnecessary services and macros
  • Regularly audit running processes and loaded DLLs for anomalies
  • Maintain secure backups with offline or immutable storage to mitigate destruction risks
  • Implement zero trust architecture principles to validate every access request
  • Continuously update threat intelligence rules for Lazarus Group TTPs
  • Conduct incident response drills to improve containment and recovery readiness
  • Use DNS filtering to block access to malicious infrastructure