Lazarus Group Deploys RemotePE Memory-Only RAT Against Financial Institutions and Crypto Firms

NCC Group subsidiary Fox-IT has uncovered RemotePE, a cross-platform remote access trojan deployed by North Korea-linked Lazarus Group that runs entirely in memory, leaves no filesystem trace, and targets financial institutions and cryptocurrency organisations through a multi-stage loader chain.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region3 min read
Server room with a single rack illuminated in red warning light representing the Lazarus Group RemotePE memory-only malware threat

Server room with a single rack illuminated in red warning light representing the Lazarus Group RemotePE memory-only malware threat

Security researchers at NCC Group subsidiary Fox-IT have published findings on a new cross-platform remote access trojan deployed by the North Korea-linked Lazarus Group in targeted campaigns against financial institutions and cryptocurrency organisations. The malware, called RemotePE, operates entirely in memory and is never written to disk, leaving no filesystem artefacts for conventional endpoint detection tools to identify.

This characteristic significantly raises the operational difficulty for incident response teams attempting to detect the attack or reconstruct the chain of events after the fact. It also places RemotePE in a category of threats that standard file-based detection and many endpoint detection and response platforms will miss entirely during active execution.

A Multi-Stage Loader Chain

RemotePE is delivered through a two-stage loader architecture. The first component, DPAPILoader, decrypts and loads the second component, RemotePELoader, from disk using the Windows Data Protection API. RemotePELoader then beacons to a command-and-control server and waits to receive RemotePE itself, which is transferred and executed entirely in memory without ever touching the filesystem.

The architecture is specifically engineered to minimise forensic footprint. Researchers Yun Zheng Hu and Mick Koomen noted that because RemotePE never touches the filesystem, standard file-based detection methods and many EDR tools are unable to identify its presence during active execution. Detection requires behavioural monitoring at the process and memory level rather than file signature matching.

RemotePE was first identified by Fox-IT in September 2025, connected to an attack against an unnamed decentralised finance organisation that resulted in the deployment of three malware families including PondRAT. The latest reporting confirms the tooling has been refined and is now being used in broader targeting of the financial sector.

Why GCC Financial Institutions Need to Act

The Lazarus Group has a sustained and well-documented track record of targeting banks, financial infrastructure, and cryptocurrency platforms. This is a pattern of direct relevance to institutions across the GCC and MENA region, where fintech investment and digital asset activity have expanded significantly over the past two years.

The UAE Cyber Insurance Market research published this week highlighted that financial services, healthcare, and energy are the sectors where cyberattacks carry the most severe consequences across the Gulf. State-linked financial cybercrime, of the kind Lazarus Group represents, sits at the most severe end of that risk spectrum.

Saudi Arabia and the UAE have both seen rapid growth in cryptocurrency exchange activity and digital banking infrastructure over the past 24 months, directly increasing the attack surface for groups operating in this space. The AI-powered vulnerability discoveries made under Project Glasswing further underscore that the software underpinning financial platforms may carry more unpatched flaws than previously understood.

Security teams in the region are advised to review their capabilities for detecting memory-resident malware, assess whether current EDR deployments include behavioural anomaly detection for in-memory process injection, and audit network traffic for unusual outbound beaconing patterns consistent with C2 activity. Any organisation running DeFi infrastructure or holding significant cryptocurrency assets should treat this as a current and active threat, not a future risk.

The full research is available through NCC Group's research portal.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

Advanced Persistent ThreatsFinancial Sector Cyber Risk MENACryptocurrency Security 2026Malware Analysis GCCGulf Cybersecurity NewsMENA Threat Intelligence