RemotePE
RemotePE is a Lazarus-linked final-stage remote access trojan (RAT) used in a three-stage malware framework alongside DPAPILoader and RemotePELoader. Reporting attributes the activity to a North Korea-linked Lazarus subgroup with overlaps to clusters tracked as AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces. The toolset has been observed targeting financial institutions, cryptocurrency organizations, and at least one decentralized finance organization, consistent with financially motivated operations and long-term stealthy access.
RemotePE is written in C++ and executes entirely in memory, leaving no filesystem artifacts. It is delivered by RemotePELoader after that loader retrieves the payload from attacker-controlled command-and-control infrastructure, often in an apparent actor-in-the-loop delivery model. Across reporting, the broader chain uses Windows DPAPI-based environmental keying in earlier stages, making payloads victim-bound and reducing the usefulness of static sample analysis and hash-based detection.
Documented RemotePE capabilities include command execution, file operations and exploration, process creation and termination, process management, configuration management, timers/sleep scheduling, ping handling, data access, ZIP/compression-assisted collection and exfiltration, and dynamic loading of reflective DLL plugins at runtime. The malware uses a modular plugin system and a multithreaded architecture centered on IChannelController and IMiddleController threads for C2 communications and command processing. It also implements secure deletion by overwriting files seven times before renaming/deleting them, a behavior noted as consistent with other Lazarus-associated malware such as PondRAT and POOLRAT.
Associated tradecraft in the framework includes reflective PE loading, AES-GCM-encrypted C2 messaging, HTTP POST communications, and traffic formatted to resemble Microsoft telemetry, including cookie names such as MSCC, MicrosoftApplicationsTelemetryDeviceId, at_check, and ai_session. Reporting also describes evasion in the chain through HellsGate/TartarusGate-style direct syscall use, remapping clean DLLs from \KnownDlls to remove userland hooks, and patching EtwEventWrite() to suppress ETW logging. RemotePE-related infrastructure was reported on Namecheap shared hosting, with cited domains including livedrivefiles.com, aes-secure.net, azureglobalaccelerator.com, msdeliverycontent.com, akamaicloud.com, intelcloudinsights.com, and devicelinkintel.com.
High-confidence host/network indicators directly mentioned in the content include the event name 554D5C1F-AABE-49E4-AB57-994D22ECED28 used by RemotePE as an external wake mechanism, the Lazarus-linked service/DLL masquerade involving C:\Windows\System32\Iassvc.dll under the service name "Internet Authentication Service" in the broader chain, and a published RemotePELoader SHA-256 of 7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68. Fox-IT reported active development of RemotePE samples between July 2023 and May 2024 and published YARA rules and additional indicators of compromise for detection.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The final component, a fully featured remote access trojan (RAT), is executed entirely in memory and provides attackers with extensive control over compromised systems.
Lazarus Group Expands Malware Arsenal With PondRAT, ThemeForestRAT, and RemotePE
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniques
Execution
Once deployed, the RemotePE malware enables command execution, file manipulation, process management and data access...
IConsole ... Function ID 2 Execute a command and return its output
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
7 techniques
Stealth
The first is HellsGate (specifically the TartarusGate variant), a technique that dynamically resolves Windows syscall numbers at runtime.
`decrypt_c2_message` decodes a base64 blob, derives a key and nonce, and uses `AES.new(key, AES.MODE_GCM, nonce)` to decrypt the ciphertext from the `C2Message` structure.
network packets utilize HTTP cookie names that mimic the Microsoft ecosystem. For instance, headers incorporate fields like MSCC and MicrosoftApplicationsTelemetryDeviceId to appear authentic.
Before contacting its command-and-control server, it removes security hooks placed by endpoint protection products and disables Windows event tracing, allowing the malware to operate with little or no visibility to defenders.
RemotePE also implements secure file deletion functionality by repeatedly overwriting files seven times prior to deletion, behavior previously associated with Lazarus-linked malware families such as PondRAT and POOLRAT.
Discovery
3 techniques
Discovery
Once deployed, the RemotePE malware enables command execution, file manipulation, process management and data access...
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
The script defines a `CabinetStream` structure with `compressed_buf` and uses `decompress_mszip` with zlib to decompress the command output after decryption.
It then initiates an encrypted HTTP communication loop with remote servers.
Exfiltration
1 technique
Exfiltration
Impact
2 techniques
Impact
Other
2 techniques
Other
The malware employs evasion techniques like Hell's Gate and patches Event Tracing for Windows (ETW) to avoid detection.
The attack followed a pattern increasingly common in Lazarus operations, social engineering via Telegram, with operatives posing as employees of a legitimate trading firm, scheduling fake meetings through spoofed Calendly and Picktime domains to gain initial access to a victim’s device.
IOCs tracked for this family
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Memory-only remote access trojan executed entirely in memory that enables command execution, file manipulation, process management, and data access for long-term access, theft, intelligence collection, or exfiltration.
A memory-only remote access trojan/backdoor that runs entirely in RAM, handles outbound C2 and operator commands, securely deletes files, and supports runtime plugin DLL registration.
A fully memory-resident remote access trojan with encrypted C2, multithreaded command handling, file and process operations, command execution, configuration management, plugin/DLL loading, compression and exfiltration, and secure file deletion. It is designed for long-term stealthy access in financial and cryptocurrency environments.
RemotePE is a remote access trojan designed to operate entirely in memory for stealthy, long-term access. It is delivered through a multi-stage chain, communicates with a C2 server, supports file and process operations, uses evasion techniques such as Hell's Gate and ETW patching, and includes secure file deletion behavior.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.