The North Korean-linked threat actor group known as Lazarus Group has been observed deploying a sophisticated fileless Remote Access Trojan (RAT) dubbed RemotePE against cryptocurrency exchanges, fintech organizations, decentralized finance (DeFi) platforms, and banking institutions. The malware operates almost entirely in memory, significantly reducing forensic artifacts and evading traditional endpoint detection solutions.
The campaign leverages highly targeted social engineering techniques, including impersonation of trading firms via Telegram and the use of spoofed scheduling platforms such as Calendly and Picktime to lure victims into executing malicious payloads. This activity reflects a continued evolution in Lazarus’ financially motivated operations.
Threat Overview
Technical Analysis
Initial Access: Attackers initiate compromise through highly tailored social engineering interactions. Operators impersonate employees of trading or investment firms and communicate with targets primarily through Telegram. Victims are directed to fraudulent meeting scheduling pages designed to imitate legitimate platforms such as Calendly and Picktime. Once engagement is established, victims are tricked into executing malware that begins a staged infection process.
Malware Execution Chain
The RemotePE attack chain consists of multiple components engineered to minimize filesystem interaction and evade security monitoring:
DPAPILoader (Iassvc.dll)- Uses Windows Data Protection API (DPAPI) mechanisms to decrypt malicious payloads stored locally.
RemotePELoader- Establishes outbound communication with attacker-controlled infrastructure and retrieves the final payload directly into memory.
RemotePE RAT- Executes entirely in memory without leaving conventional disk artifacts, enabling stealthy persistence and remote-control capabilities.
Evasion and Persistence Techniques
The malware employs multiple advanced defense evasion mechanisms:
- Fileless execution to avoid filesystem-based detection
- Hell’s Gate direct syscall technique to bypass EDR monitoring
- ETW (Event Tracing for Windows) patching to suppress telemetry logging
- Process hollowing for stealthy code execution
- Encrypted command-and-control communications
- Anti-analysis and reconnaissance checks before payload deployment
Impact Assessment for Fintech Organizations
This campaign presents a significant risk to fintech organizations due to the malware’s stealth capabilities and Lazarus Group’s historical focus on financially motivated operations.
Potential impacts include:
- Unauthorized access to financial systems
- Theft of cryptocurrency assets and wallets
- Compromise of trading infrastructure
- Credential harvesting
- Internal reconnaissance for future attacks
- Supply-chain compromise opportunities
- Long-term persistence within enterprise environments
MITRE ATT&CK Mapping
Indicators of Compromise (IOCs)
Domains
aes-secure[.]net
azureglobalaccelerator[.]com
File Names
Iassvc.dll
DPAPILoader
RemotePELoader
RemotePE
PondRAT
ThemeForestRAT
POOLRAT/SIMPLESEA
Delivery Themes
Fake Calendly invitations
Fake Picktime meeting pages
Telegram impersonation of trading firms
Recommendations
- Enable advanced memory scanning and behavioral EDR capabilities
- Monitor for abnormal in-memory process execution
- Block or inspect suspicious outbound encrypted communications
- Restrict execution of unsigned DLLs
- Implement application allowlisting
- Educate employees on targeted Telegram impersonation campaigns
- Validate meeting invitations received from external parties
- Verify scheduling links before interaction
.png)
.png)