Initial access occurs via Telegram with identity theft.
The first artifacts of the malware date back to July 2023, as a report from May 2026 revealed.
The Lazarus group, linked to the North Korean government, deployed an unauthorized remote access program called RemotePE against companies in the financial and digital asset sector. According to the firm Fox-IT, a subsidiary of the NCC group, in a report published on May 22, the malicious program executes its operations entirely in the memory of the infected computer, without saving files on the hard drive, which allows it to evade the most widespread threat detection systems in the industry.
According to researchers Yun Zheng Hu and Mick Koomen, RemotePE is part of a three-stage attack chain that includes two intermediary programs: DPAPILoader, which decrypts malicious payload using native tools of the Windows operating systemand RemotePELoader, which contacts an external server to receive the main module and execute it directly in memory.
Fox-IT notes that initial access to target organizations happens through deception on Telegram. The attackers present themselves as employees of investment firms and direct their victims to meetings scheduled on fake sites that imitate legitimate scheduling platforms. Once inside the system, the program can remain active for months without being identified.
The firm maintains that The first records of this attack date back to November 2023while the oldest version of RemotePE identified is dated July 4 of that same year. None of the samples analyzed had been detected by public threat analysis platforms before the report was published.
Full control from the shadows
Once installed, RemotePE gives the attacker complete operational control over the compromised system. According to the firm, the program does not act autonomously: each delivery of the main module requires the manual intervention of a human operator, who decides when and to whom to send it.
The program allows the attacker to execute the following actions on the compromised computer:
- Modify the configuration of the server from which you receive orders
- Manage system folders and modules
- Read, write, compress, rename or delete files
- List, create or delete running processes
- Load additional modules in real time, without restarting the program
- Regulate activity intervals to reduce visibility
The firm also highlights that before deleting a file, the program overwrites it seven times with constant dataa deletion technique that makes it difficult to recover forensic evidence and that it shares with other malicious programs from the same group, such as PondRAT and POOLRAT.
The firm warns that the real-time human-supervised operation model, combined with the toolset’s low detection rate, suggests that RemotePE be reserved for high value targetswhere silent and prolonged access precedes a final high-impact action, such as the massive theft of funds or the extraction of sensitive information.
A pattern that repeats itself with increasing numbers
RemotePE is not an isolated case. According to the analysis firm Arkham, Lazarus was responsible for more than 70% of all attacks on decentralized finance protocols registered in 2026, with two hits carried out in April that totaled more than 577 million dollars: the first against Drift Protocol, where agents of the group appeared at sector conferences and made deposits of more than a million dollars to appear to be legitimate partners before draining the funds; the second against KelpDAO, by manipulating the nodes that verified transactions between networks. Both attacks share with RemotePE the same operating principle: months of silent preparation before a final irreversible action.
The context is broader, last April there were 34 attacks on decentralized finance (DeFi) protocols, with losses of approximately $635 million, which represented 78% of everything stolen in the ecosystem so far this year, according to CDSecurity’s monthly report. Since 2017, The group accumulates more than $6 billion in stolen digital assetsaccording to Arkham, a figure that places Lazarus not as an opportunistic actor, but as a state operation with long-term financial objectives. RemotePE is, according to Fox-IT, the most sophisticated tool documented so far within that arsenal.