Lazarus Group Deploys Memory‑Only RemotePE RAT Targeting Financial and Crypto Firms
What Happened — Researchers uncovered that the North‑Korea‑linked Lazarus Group is using a cross‑platform, memory‑only RemotePE remote access tool (RAT) in multi‑stage attacks against financial institutions and cryptocurrency businesses. The malware is delivered via two loaders, DPAPILoader and RemotePELoader, which decrypt and inject the RAT directly into process memory, leaving no files on disk.
Why It Matters for TPRM —
- Memory‑only payloads evade traditional file‑based detection, increasing the risk of undetected compromise in third‑party vendors.
- Financial and crypto service providers often host critical payment and asset‑management APIs that, if breached, can cascade to downstream partners.
- Lazarus’s use of sophisticated, multi‑stage tooling signals a high‑skill threat actor capable of targeting supply‑chain entities.
Who Is Affected — Financial services, payments processors, cryptocurrency exchanges, and any SaaS providers handling fiat or digital‑asset transactions.
Recommended Actions —
- Review contracts and security attestations for any third‑party financial or crypto service providers.
- Verify that vendors employ memory‑analysis/behavioral detection (EDR) capable of spotting file‑less malware.
- Conduct threat‑modeling of API exposure and enforce strict least‑privilege access for external connections.
Technical Notes — The attack chain starts with DPAPILoader, which decrypts a second stage loader (RemotePELoader). RemotePELoader injects the RemotePE RAT directly into memory, avoiding disk writes. The RAT supports Windows, Linux, and macOS, and can exfiltrate credentials, transaction data, and cryptocurrency wallet keys. No specific CVE is cited; the technique leverages in‑memory code injection. Source: The Hacker News