Fox-IT International published a technical write-up on May 22 dissecting RemotePE, a memory-only remote access trojan operated by the North Korea-linked Lazarus Group, and The Hacker News carried it wider on May 25. The toolset is now publicly tied to the wave of intrusions that have drained roughly $577 million in cryptocurrency from exchanges and DeFi platforms in the first four months of 2026. Fox-IT first flagged RemotePE in September 2025 against an unnamed DeFi target, but this disclosure ties the loader chain, the C2 infrastructure, and the financial-targeting tradecraft into a single, documented kill chain defenders can hunt against.
The intrusion pattern
Initial access is social engineering, not exploitation. Operators approach employees on Telegram while impersonating a real employee of a known counterparty โ typically a trading firm or fund โ and schedule a meeting through a spoofed Calendly or Picktime page. The “meeting prep” link drops the first-stage loader. This is the same Contagious Interview / TraderTraitor lineage Lazarus has refined for years; what’s new is what runs after the click.
Three-stage loader chain
Stage 1 โ DPAPILoader (Iassvc.dll). A side-loaded DLL whose earliest sample dates to November 2023. It uses the Windows Data Protection API (DPAPI) to decrypt the next-stage payload. Because DPAPI keys are bound to the victim user’s credentials, the encrypted blob is useless on any other host โ pulling the artifact into a sandbox yields nothing. This environmental keying is the single most effective anti-analysis trick in the chain.
Stage 2 โ RemotePELoader. Reaches out over HTTP to a C2 such as aes-secure[.]net to pull the RemotePE module. Uses Hell’s Gate for direct syscall invocation to bypass user-mode hooks and patches ETW (Event Tracing for Windows) in-process to blind EDR telemetry sources that rely on it.
Stage 3 โ RemotePE. A full RAT written in C++, executed entirely in RAM with no disk artifact. Polls C2 for commands across six categories: get/set C2 configuration, load/unload DLL modules and switch working directory, file ops, process enumeration/spawn/kill by PID, execution control, and a C2 keep-alive.
C2 infrastructure and IOCs
Fox-IT lists aes-secure[.]net and web-telegram[.]ug as confirmed C2 domains, both on Namecheap shared hosting โ the same pattern Lazarus has used for ThemeForestRAT and PondRAT earlier in the same campaign cluster. SOC Prime’s writeup bundles all three into one rule pack; if you’re tuning detections, treat them as one toolset rather than three separate hunts. Loader artifact name Iassvc.dll is a known string โ watch for unsigned DLLs with that name loaded by a legitimate Windows service binary, and for any process initiating outbound HTTP to the two Namecheap C2s.
Impact
The named victim profile is narrow but high-value: crypto exchanges, custodians, DeFi protocols, trading firms, and traditional banks with crypto desks. The financial damage is not narrow โ the $577M figure attributed to Lazarus across Q1 2026 makes them, again, the most successful financially-motivated APT in operation. If your firm holds, custodies, trades, or settles crypto, assume you are in scope.
The deeper concern for infrastructure teams is the detection model collapse. RemotePE writes nothing to disk after stage one, blinds ETW, syscalls direct via Hell’s Gate, and the encrypted payload is unreadable off-host thanks to DPAPI binding. File-scanning AV will see only Iassvc.dll. EDRs that lean on ETW-derived telemetry will see less than they should. Memory forensics and network-side detection on the two known C2 domains are where this actually gets caught.
Mitigations
Block the known C2 domains at egress immediately. Hunt for Iassvc.dll loaded by unexpected parents, and for any process performing ETW patching against its own provider registrations โ Elastic and CrowdStrike have published generic detections for the latter. Enforce Telegram, Calendly, and Picktime domains through your secure web gateway for fintech and treasury staff. Require attested, managed devices for any session that touches custody keys or trading API credentials; an employee’s personal-account Telegram conversation is now a credible initial access vector against your hot wallet.
If you operate a crypto desk and have not yet built memory-acquisition tooling into your IR playbook, this is the disclosure that should force the conversation. A RAT that lives only in RAM does not get found by a disk image.
References: Fox-IT: RemotePE โ The Lazarus RAT that lives in memory ยท The Hacker News coverage ยท SOC Prime detection rules for PondRAT, ThemeForestRAT, RemotePE