HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Lazarus Group Deploys Memory‑Only RemotePE RAT Targeting Financial and Crypto Firms

North‑Korea‑linked Lazarus Group is leveraging a cross‑platform, memory‑only RemotePE RAT in multi‑stage attacks against financial institutions and cryptocurrency businesses, raising third‑party risk for firms handling payments and digital assets.

LiveThreat™ Intelligence · 📅 May 25, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
thehackernews.com

Lazarus Group Deploys Memory‑Only RemotePE RAT Targeting Financial and Crypto Firms

What Happened — Researchers uncovered that the North‑Korea‑linked Lazarus Group is using a cross‑platform, memory‑only RemotePE remote access tool (RAT) in multi‑stage attacks against financial institutions and cryptocurrency businesses. The malware is delivered via two loaders, DPAPILoader and RemotePELoader, which decrypt and inject the RAT directly into process memory, leaving no files on disk.

Why It Matters for TPRM

  • Memory‑only payloads evade traditional file‑based detection, increasing the risk of undetected compromise in third‑party vendors.
  • Financial and crypto service providers often host critical payment and asset‑management APIs that, if breached, can cascade to downstream partners.
  • Lazarus’s use of sophisticated, multi‑stage tooling signals a high‑skill threat actor capable of targeting supply‑chain entities.

Who Is Affected — Financial services, payments processors, cryptocurrency exchanges, and any SaaS providers handling fiat or digital‑asset transactions.

Recommended Actions

  • Review contracts and security attestations for any third‑party financial or crypto service providers.
  • Verify that vendors employ memory‑analysis/behavioral detection (EDR) capable of spotting file‑less malware.
  • Conduct threat‑modeling of API exposure and enforce strict least‑privilege access for external connections.

Technical Notes — The attack chain starts with DPAPILoader, which decrypts a second stage loader (RemotePELoader). RemotePELoader injects the RemotePE RAT directly into memory, avoiding disk writes. The RAT supports Windows, Linux, and macOS, and can exfiltrate credentials, transaction data, and cryptocurrency wallet keys. No specific CVE is cited; the technique leverages in‑memory code injection. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/lazarus-deploys-remotepe-memory-only.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →