Lazarus Group unleashes stealth trojan RemotePE on the crypto sector

Key points:

• North Korea's Lazarus group is attacking banks and crypto exchanges with a new trojan called RemotePE.
• The hackers approach their victims on Telegram, posing as employees of trading firms.
• From January through April 2026, Lazarus stole $577 million — 76% of all crypto thefts.

Cybersecurity researchers have uncovered a fresh RAT trojan called RemotePE that operates entirely in memory. The tool is now part of the arsenal of North Korea's Lazarus group, which is targeting banks, crypto exchanges, and fintech projects. Because it runs entirely in RAM, ordinary antivirus tools and digital forensics software are largely blind to it.

In one documented case, a DeFi project's network was infected with three RAT trojans at once: RemotePE, PondRAT, and ThemeForestRAT took turns running on compromised machines.

How the Lazarus Group attack works

The scenario begins with social engineering. The operators message victims on Telegram, posing as employees of trading firms, and send out fake links to Calendly and Picktime meeting schedulers. As soon as the target confirms the meeting, the infection chain kicks in.

The attack itself unfolds in three stages. First, the loader DPAPILoader lands on the victim's machine (under the name Iassvc.dll, it has been circulating on the network since November 2023). It uses Windows' built-in Data Protection API to decrypt the malicious code. Next comes a second loader, RemotePELoader. It reaches out to a command-and-control server at aes-secure[.]net and pulls the main trojan straight into the computer's memory, bypassing the hard drive entirely.

To stay invisible to security tools (known as EDR), the loader uses specialized evasion techniques — Hell's Gate and ETW Patching. The RemotePE trojan itself is never written to disk, which makes it extremely difficult for investigators to find traces of the attack after the fact.

Analysts at Fox-IT (part of NCC Group) believe RemotePE is designed not for a quick strike, but for prolonged, stealthy operations inside a victim's network. Reconnaissance first — then the attack. The first cases of the trojan being used were recorded in September 2025.

Lazarus's share of crypto thefts hits 76%

According to estimates by blockchain analysts at TRM Labs, Lazarus Group siphoned off around $577 million in digital assets between January and April 2026. That accounts for 76% of all crypto thefts worldwide — and the figure stems from just two major incidents during the period.

North Korea's share of crypto hacks has grown sharply in recent years: from a handful of isolated cases in earlier years, to 64% in 2025, to 76% in the early months of 2026.