Lazarus Targets the Financial Sector with Memory-Only Malware Toolset

2026-06-23 • Cognyte •

https://www.cognyte.com/blog/lazarus-targets-the-financial-sector-with-memory-only-malware-toolset/

#YARA #Fileless #Lazarus #RemotePE #T1027 #T1105 #T1055 #T1027.007

Thumbnail for Lazarus Targets the Financial Sector with Memory-Only Malware Toolset

A North Korea-linked Lazarus subgroup targeted financial institutions and cryptocurrency organizations with a multi-stage malware framework built around DPAPILoader, RemotePELoader, and the in-memory RemotePE RAT. The toolset uses Windows DPAPI for environmental keying, making payloads difficult to analyze outside the victim system and reducing the value of hash-based detection. RemotePE provides command execution, file manipulation, process management, and data access, supporting long-term access for financial theft, intelligence collection, or data exfiltration. Cognyte frames the activity as part of Lazarus’ continued shift toward stealth-first, memory-resident tradecraft against high-value financial environments.

Indicators of Compromise

Type	Value	First Seen	Last Seen
YARA	Lazarus_RemotePE_DPAPI_Encrypte…	2026-05-22	2026-06-23
YARA	Lazarus_RemotePE_class_strings	2025-09-01	2026-06-23
YARA	Lazarus_RemotePE_C2_strings	2025-09-01	2026-06-23
YARA	Lazarus_DPAPILoader_Hunting	2025-09-01	2026-06-23

Related Actors

Lazarus

Novetta

First seen: Feb 2016

Last seen: Jun 2026

Related Reports

2026-05-22 • 80% Match

RemotePE: The Lazarus RAT that lives in memory

Foxit

#Lazarus #RemotePE

Shares tags: Lazarus, RemotePE • Shares 4 IOCs

2026-05-29 • 65% Match

Lazarus Expands Financial Espionage Operations With Memory-Resident RemotePE RAT

Poly Swarm

#Cryptocurrency #AppleJeus #Fileless #Finance #UNC4736 #FinancialGain #Espionage #CitrineSleet #Lazarus #GleamingPisces #POOLRAT #PondRAT #RemotePE #ThemeForestRAT #T1071.001 #T1027 #T1055 #T1562.006

Shares tags: Fileless, Lazarus, RemotePE • Published within a month

2025-09-01 • 60% Match