RemotePE: The Lazarus RAT that lives in memory
Contents
Authors: Yun Zheng Hu and Mick Koomen
Summary
Last year, we published research1 about a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations, encountered during multiple incident response engagements. This Lazarus subgroup overlaps with activity linked to AppleJeus2, Citrine Sleet3, UNC47364, and Gleaming Pisces5. In one investigation, we observed that the actor had replaced ThemeForestRAT and PondRAT with a more sophisticated memory-only toolset. This follow-up post covers all three malware families from that toolset: DPAPILoader, RemotePELoader and RemotePE.
The three form a chain. DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API (DPAPI). RemotePELoader beacons to a C2 server and waits until it receives the next stage: RemotePE, a RAT executed entirely in memory and never written to disk, leaving no filesystem artifacts. At the time of writing, we have not found samples of RemotePELoader or RemotePE on VirusTotal.
The toolset’s environmental keying, memory-only execution, EDR evasion, and low …
Summary
Last year, we published research1 about a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations, encountered during multiple incident response engagements. This Lazarus subgroup overlaps with activity linked to AppleJeus2, Citrine Sleet3, UNC47364, and Gleaming Pisces5. In one investigation, we observed that the actor had replaced ThemeForestRAT and PondRAT with a more sophisticated memory-only toolset. This follow-up post covers all three malware families from that toolset: DPAPILoader, RemotePELoader and RemotePE.
The three form a chain. DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API (DPAPI). RemotePELoader beacons to a C2 server and waits until it receives the next stage: RemotePE, a RAT executed entirely in memory and never written to disk, leaving no filesystem artifacts. At the time of writing, we have not found samples of RemotePELoader or RemotePE on VirusTotal.
The toolset’s environmental keying, memory-only execution, EDR evasion, and low …
IoC
https://github.com/hasherezade/libpeconv
https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/
http://akamaicloud.com
https://docs.dissect.tools/en/stable
https://attack.mitre.org/techniques/T1480/001/
https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese
https://github.com/trickster0/TartarusGate
http://livedrivefiles..com
http://msdeliverycontent.com
http://aes-secure.net
https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise
https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/
https://docs.dissect.tools/en/stable/
https://github.com/am0nsec/HellsGate
http://devicelinkintel.com
http://intelcloudinsights.com
https://securelist.com/operation-applejeus/87553/
http://azureglobalaccelerator.com
https://github.com/hasherezade/pe_to_shellcode/releases/tag/v1.2
[email protected]
159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3
4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874
6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d
62e040a32aac2d2faa8d2bffa2cf7ab662228cebf9bb78eaa0a633c0b729d119
710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8
7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68
37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef
aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039
rule Lazarus_DPAPILoader_Hunting {
meta:
description = "Hunting rule to detect DPAPILoader, a loader used to load RemotePE."
author = "Fox-IT / NCC Group"
strings:
$msg_1 = "[!] Could not allocate memory at the desired base!\n"
$msg_2 = "[!] Virtual section size is out ouf bounds: "
$msg_3 = "[!] Invalid relocDir pointer\n"
$msg_4 = "[-] Not supported relocations format at %d: %d\n"
$msg_5 = "[!] Cannot fill imports into 32 bit PE via 64 bit loader!\n"
condition:
any of them and pe.imports("Crypt32.dll", "CryptUnprotectData")
}
rule Lazarus_RemotePE_class_strings {
meta:
description = "RemotePE class strings."
author = "Fox-IT / NCC Group"
strings:
$a = "IMiddleController" ascii wide xor
$b = "IChannelController" ascii wide xor
$c = "IConfigProfile" ascii wide xor
$d = "IKernelModule" ascii wide xor
condition:
all of them
}
rule Lazarus_RemotePE_C2_strings {
meta:
description = "RemotePE strings used for C2."
author = "Fox-IT / NCC Group"
strings:
$a = "MicrosoftApplicationsTelemetryDeviceId" wide ascii xor
$b = "armAuthorization" wide ascii xor
$c = "ai_session" wide ascii xor
condition:
uint16(0) == 0x5A4D and all of them
}
rule Lazarus_RemotePE_DPAPI_Encrypted_config {
meta:
description = "Detects RemotePE DPAPI-encrypted config on disk"
author = "Fox-IT Security Research Team"
condition:
filesize == 3094
and uint32(0) == 0x00000001 // DPAPI blob version = 1
and uint32(0x8E) == 0x00000B40 // dwDataLen = 0xB40 (padded config)
}
https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/
http://akamaicloud.com
https://docs.dissect.tools/en/stable
https://attack.mitre.org/techniques/T1480/001/
https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese
https://github.com/trickster0/TartarusGate
http://livedrivefiles..com
http://msdeliverycontent.com
http://aes-secure.net
https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise
https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/
https://docs.dissect.tools/en/stable/
https://github.com/am0nsec/HellsGate
http://devicelinkintel.com
http://intelcloudinsights.com
https://securelist.com/operation-applejeus/87553/
http://azureglobalaccelerator.com
https://github.com/hasherezade/pe_to_shellcode/releases/tag/v1.2
[email protected]
159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3
4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874
6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d
62e040a32aac2d2faa8d2bffa2cf7ab662228cebf9bb78eaa0a633c0b729d119
710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8
7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68
37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef
aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039
rule Lazarus_DPAPILoader_Hunting {
meta:
description = "Hunting rule to detect DPAPILoader, a loader used to load RemotePE."
author = "Fox-IT / NCC Group"
strings:
$msg_1 = "[!] Could not allocate memory at the desired base!\n"
$msg_2 = "[!] Virtual section size is out ouf bounds: "
$msg_3 = "[!] Invalid relocDir pointer\n"
$msg_4 = "[-] Not supported relocations format at %d: %d\n"
$msg_5 = "[!] Cannot fill imports into 32 bit PE via 64 bit loader!\n"
condition:
any of them and pe.imports("Crypt32.dll", "CryptUnprotectData")
}
rule Lazarus_RemotePE_class_strings {
meta:
description = "RemotePE class strings."
author = "Fox-IT / NCC Group"
strings:
$a = "IMiddleController" ascii wide xor
$b = "IChannelController" ascii wide xor
$c = "IConfigProfile" ascii wide xor
$d = "IKernelModule" ascii wide xor
condition:
all of them
}
rule Lazarus_RemotePE_C2_strings {
meta:
description = "RemotePE strings used for C2."
author = "Fox-IT / NCC Group"
strings:
$a = "MicrosoftApplicationsTelemetryDeviceId" wide ascii xor
$b = "armAuthorization" wide ascii xor
$c = "ai_session" wide ascii xor
condition:
uint16(0) == 0x5A4D and all of them
}
rule Lazarus_RemotePE_DPAPI_Encrypted_config {
meta:
description = "Detects RemotePE DPAPI-encrypted config on disk"
author = "Fox-IT Security Research Team"
condition:
filesize == 3094
and uint32(0) == 0x00000001 // DPAPI blob version = 1
and uint32(0x8E) == 0x00000B40 // dwDataLen = 0xB40 (padded config)
}