Lazarus RemotePE memory-only RAT targets DeFi and crypto firms - DPAPILoader + RemotePELoader chain, Hell's Gate, ETW patching
NCC Group's Fox-IT has documented RemotePE, a previously private cross-platform RAT used by the North Korea-linked Lazarus Group against DeFi, financial, and cryptocurrency organizations. The chain starts with social engineering on Telegram (impersonating a trading-firm employee with fake Calendly and Picktime meeting links), then drops DPAPILoader (Iassvc.dll) which uses Windows DPAPI to decrypt RemotePELoader. That loader fetches RemotePE entirely in memory from aes-secure[.]net, evading EDR via Hell's Gate and ETW patching. RemotePE itself is a C++ RAT supporting six command categories. Fox-IT believes the toolset is reserved for high-value, long-dwell access leading to large-scale financial theft. Activity dates from mid-2023.
- Check
- Hunt for Iassvc.dll on Windows endpoints (especially DeFi-adjacent developer machines). Search EDR for outbound traffic to aes-secure[.]net. Review Telegram and Calendly social-engineering reports from your finance and crypto teams.
- Affected
- Financial-services, DeFi, and crypto firms - Lazarus' primary targets. Initial access via Telegram impersonation of trading-firm employees and fake Calendly / Picktime meeting links.
- Fix
- Block aes-secure[.]net at egress. Train finance and developer teams against Telegram-initiated meeting requests with crypto/trading themes. Deploy EDR rules detecting Hell's Gate syscall patterns and ETW patching.