remotepe

According to Cryptopolitan, cybersecurity analysts have discovered a new type of fileless remote access trojan (RAT) named RemotePE. It is believed that the cybercrime organization Lazarus Group, associated with North Korea, is using this trojan to attack banks and cryptocurrency companies. The trojan operates entirely in memory, making it difficult for traditional antivirus and forensic tools to detect. Attackers impersonate trading company employees via Telegram, using forged Calendly and Picktime links for social engineering attacks. The malware is loaded in a three-stage chain through DPAPILoader, RemotePELoader, and RemotePE, with the entire process avoiding contact with the file system, utilizing process hollowing, anti-analysis checks, and encrypted C2 communication to evade detection.This malware was first discovered in September 2025. In the first four months of 2026, the Lazarus organization has stolen approximately $577 million in cryptocurrency assets, accounting for 76% of the total global cryptocurrency theft. Since 2017, the organization has accumulated a total theft amount of $6 billion.