Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 3 actors

DPAPILoader

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Lazarus

Researchers identified a new malware toolset used by Lazarus consisting of three components: DPAPILoader, RemotePELoader and RemotePE.

via malware newsmalware.news
AppleJeus

The framework consists of three interconnected malware families: DPAPILoader – First-stage loader responsible for decrypting payloads tied to victim-specific DPAPI keys.

via polyswarmblog.polyswarm.io
Lazarus

The framework consists of three interconnected malware families: DPAPILoader – First-stage loader responsible for decrypting payloads tied to victim-specific DPAPI keys.

via polyswarmblog.polyswarm.io
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Persistence

1 technique
T1543.003Windows ServiceEvidence3

In one observed intrusion, the malware was deployed as C:\Windows\System32\Iassvc.dll under a malicious Windows service masquerading as the legitimate Internet Authentication Service (IAS). The malware abuses Windows service infrastructure to establish persistence through svchost.exe while imitating legitimate Windows components.

Privilege Escalation

1 technique
T1543.003Windows ServiceEvidence3

In one observed intrusion, the malware was deployed as C:\Windows\System32\Iassvc.dll under a malicious Windows service masquerading as the legitimate Internet Authentication Service (IAS). The malware abuses Windows service infrastructure to establish persistence through svchost.exe while imitating legitimate Windows components.

Stealth

6 techniques
T1027Obfuscated Files or InformationEvidence1

After DPAPI decryption, the payload is additionally XORed with 0x8D before loading. This is consistent across all observed DPAPILoader samples.

T1036MasqueradingEvidence2

Researchers noted the malicious DLL intentionally mimicked the legitimate iassvcs.dll naming convention, differing by only a single character.

T1140Deobfuscate/Decode Files or InformationEvidence3

DPAPILoader functions as the first-stage component responsible for decrypting and executing encrypted payloads tied to the victim environment via the Windows Data Protection API (DPAPI)... The malware applies an additional XOR operation using the constant 0x8D after DPAPI decryption, creating a layered protection mechanism.

T1218System Binary Proxy ExecutionEvidence2

Researchers identified multiple DPAPILoader variants utilizing different execution methods, including service execution, DLL sideloading via ESET software, and export-based loading through WMI-related functionality.

T1497.001System ChecksEvidence2

Meanwhile, the malware checks the host process and loops over specific device metadata paths.

T1620Reflective Code LoadingEvidence5

The final component, a fully featured remote access trojan (RAT), is executed entirely in memory and provides attackers with extensive control over compromised systems.

Credential Access

1 technique
T1555.004Windows Credential ManagerEvidence2

The first-stage loader decrypts and launches the next component using Windows Data Protection API (DPAPI)... A notable aspect of the campaign is the use of environmental keying through Windows DPAPI.

Discovery

1 technique
T1497.001System ChecksEvidence2

Meanwhile, the malware checks the host process and loops over specific device metadata paths.

Impact

1 technique
T1486Data Encrypted for ImpactEvidence1

DPAPILoader uses the Windows Data Protection API (DPAPI) to decrypt its payload... each deployment produces a unique encrypted blob, meaning the payload hash differs across victims and evades hash-based detection.

Other

1 technique
T1656ImpersonationEvidence1

The attack followed a pattern increasingly common in Lazarus operations, social engineering via Telegram, with operatives posing as employees of a legitimate trading firm, scheduling fake meetings through spoofed Calendly and Picktime domains to gain initial access to a victim’s device.

INDICATORS OF COMPROMISE

IOCs tracked for this family

9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
6 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app1 month ago
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
malware newsNews
Jun 23, 2026
Lazarus Targets the Financial Sector with Memory-Only Malware Toolset - Malware News - Malware Analysis, News and Indicators

First-stage loader that decrypts and launches the next component using Windows Data Protection API (DPAPI), helping bind execution to the victim environment and reduce detectability.

Read more
security online infoNews
May 29, 2026
Lazarus Memory-Only Toolset Discovered

A first-stage DLL loader that establishes persistence and decrypts and loads an encrypted payload from disk using DPAPI, with environmental keying tied to host properties.

Read more
polyswarmNews
May 29, 2026
Lazarus Expands Financial Espionage Operations With Memory-Resident RemotePE RAT

A first-stage loader that decrypts victim-bound payloads using Windows DPAPI, applies additional XOR decoding, and reflectively loads the next stage. It is used for stealthy persistence and environment-specific execution.

Read more
scworldNews
May 26, 2026
North Korea’s Lazarus Group uses new RemotePE malware against financial targets | brief | SC Media

DPAPILoader is an initial-stage loader that decrypts and loads RemotePELoader from disk using the Windows Data Protection API as part of the RemotePE infection chain.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching9

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.