North Korea linked Lazarus APT Group has been identified using a stealthy fileless remote access trojan designed to avoid detection and leave minimal forensic evidence, according to a recent report by Fox IT, a subsidiary of NCC Group. The threat actor, known for targeting cryptocurrency exchanges and financial institutions over the years, appears to have refined its cyber operations through a memory only malware framework aimed at long term access and covert surveillance. Researchers uncovered the malware during an incident response investigation involving an unnamed decentralized finance organization, where a sophisticated three stage toolset known as RemotePE was observed in use.
Fox IT researchers explained that the malware chain consists of three components working together to maintain stealth and persistence. The first stage, called DPAPILoader, uses Windows Data Protection API, also known as DPAPI, to decrypt and execute the second stage payload. Since DPAPI encryption is tied directly to a specific user account and system environment, the encrypted files become useless if removed from the targeted device, significantly complicating forensic analysis. Researchers stated that this mechanism also results in unique encrypted payloads for every victim, producing different file hashes and reducing the effectiveness of traditional signature based security detection. According to Fox IT, the Lazarus subgroup involved in the operation overlaps with activities linked to AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces, while replacing previously observed malware families such as ThemeForestRAT and PondRAT with a more advanced memory focused toolset.
The attack chain reportedly begins through social engineering campaigns conducted on Telegram, where attackers impersonate employees from legitimate trading firms and lure victims into fake meetings using spoofed Calendly and Picktime domains. Once access is gained, the second stage malware, RemotePELoader, contacts a command and control server while actively removing security monitoring hooks placed by endpoint detection and response systems. Researchers noted that the malware also disables Windows event tracing to reduce visibility for defenders. The final payload, RemotePE, is executed entirely in memory and never written to disk, making detection particularly difficult. Written in C++, the trojan includes capabilities such as process management, plugin loading, file handling, and secure deletion methods using a seven pass overwrite pattern that aligns with techniques previously observed in Lazarus associated malware including PondRAT and POOLRAT. Fox IT recovered four malware samples showing gradual development between July 2023 and May 2024, suggesting the malware was continuously updated over an extended period.
Researchers also highlighted operational patterns that point toward human controlled deployment rather than automated infection. During analysis, Fox IT successfully emulated RemotePELoader communication with active command and control infrastructure and discovered that payload delivery required manual approval from an operator. Activity was observed during daytime hours in the UTC+9 timezone, aligning with Korean Standard Time. Security experts stated that the malware appears specifically designed for prolonged observation campaigns before transitioning to high impact activities such as data theft or financial compromise. Notably, neither RemotePELoader nor RemotePE had been identified on VirusTotal before the public release of the research, reflecting the restricted use of these tools against selected targets. Fox IT advised defenders to monitor suspicious DPAPI encrypted files in unusual directories, deceptive DLL files disguised as Windows services, suspicious DNS activity linked to known command and control domains, and HTTP communication patterns designed to imitate legitimate Microsoft network traffic.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
