Lazarus's RemotePE RAT Runs Only in Memory and Is Built to Survive the Investigation

RemotePE is not a tool for stealing and leaving — it is a tool for staying: memory-only, disk-silent, EDR-evading, and keyed to its target environment, deployed only after the noisier implants have been deliberately wiped away.

AMSTERDAM, NETHERLANDS — Researchers at Fox-IT, the threat-research unit of NCC Group, have disclosed RemotePE, a cross-platform remote access trojan used by the North Korea-linked Lazarus Group in intrusions against financial and cryptocurrency organizations. In research published on May 22, 2026, titled "RemotePE: The Lazarus RAT that lives in memory," Fox-IT describes RemotePE as the final and stealthiest stage of a multi-stage attack chain — a RAT executed entirely in memory and never written to disk, leaving no filesystem artifacts behind for an investigator to find.

Fox-IT assesses that RemotePE's combination of environmental keying, memory-only execution, EDR evasion, and minimal forensic footprint makes it purpose-built for long-term observation campaigns rather than smash-and-grab theft. The disclosure was carried across the May 22-25, 2026 coverage cycle by The Hacker News, SOC Prime, and SecurityBrief.

What Happened

Fox-IT, the threat-research unit of NCC Group, disclosed RemotePE in research published on May 22, 2026 under the title "RemotePE: The Lazarus RAT that lives in memory." RemotePE is a cross-platform remote access trojan, and Fox-IT attributes its use to the North Korea-linked Lazarus Group in intrusions targeting financial and cryptocurrency organizations. The defining characteristic, and the reason the disclosure matters, is where RemotePE runs: it executes entirely in memory and is never written to disk, so it leaves no filesystem artifacts. A defender examining a hard drive after the fact finds nothing, because there is nothing on the drive to find.

RemotePE does not arrive on its own. It is the final stage of a multi-stage attack chain that begins with two loaders. The first, DPAPILoader — named for the Windows Data Protection API it abuses — and a second loader, RemotePELoader, hand off in sequence. RemotePELoader beacons to a command-and-control (C2) server and waits to receive the next stage, which is RemotePE itself. Fox-IT obtained four RemotePE samples, and the differences between them indicate the RAT was under active development between mid-2023 and mid-2024. Fox-IT assesses that RemotePE's mix of environmental keying, memory-only execution, EDR evasion, and minimal forensic footprint makes it purpose-built for long-term observation campaigns rather than fast theft.

RemotePE Is Designed to Be Unfindable After the Fact

The single most important fact about RemotePE is a design philosophy, not a feature list. Every property Fox-IT documents points in the same direction: the RAT is engineered to leave nothing behind. It runs only in memory and writes nothing to disk, which defeats the most common form of forensic investigation — examining a system's storage for malicious files. It evades endpoint detection and response (EDR) tooling. And it is keyed to its target environment, meaning a sample lifted off one victim and detonated in an analyst's sandbox may simply refuse to run, because the environment does not match what the RAT expects to see. Each of those traits is individually known in malware; what makes RemotePE notable is that all of them are present at once, and that they are concentrated in the stage Lazarus deploys last. This is not a tool built to grab data and leave. It is a tool built to stay — quietly, for a long time, in a place an investigator is unlikely to look.

The Triple-RAT Arsenal and the Four-Phase Progression

RemotePE is not deployed in isolation; Fox-IT documents it alongside two other RATs, PondRAT and ThemeForestRAT, which Lazarus rolls out progressively over the course of an intrusion. A 2024 incident at a decentralized-finance company gave Fox-IT a clear view of how that progression works, and it unfolds in four phases. First, social engineering for initial access. Second, exploitation that leads to the deployment of PondRAT. Third, a discovery phase in which the operators use various tools and harvest credentials. Fourth — and this is the step that matters most for defenders — the removal of the earlier payloads in favor of RemotePE. Lazarus does not simply add its stealthiest tool on top of the noisier ones. It deliberately takes the noisier ones away. The companion RATs and the loaders are loud enough to be caught; RemotePE is not, and the cleanup step is the moment the intrusion goes quiet. This staged, patient approach is consistent with DPRK-nexus malware development tradecraft that The CyberSignal has tracked through 2026, and with the broader history of patient, stealth-focused state-sponsored tooling.

The Detection Window Is the Earlier, Noisier Stages

If RemotePE itself is built to be invisible, the practical question for a defender is where the campaign can still be caught — and the answer is: before RemotePE lands. The loaders, DPAPILoader and RemotePELoader, are the first opportunity; RemotePELoader's C2 beaconing in particular is network-observable activity that does not depend on finding anything on disk. The companion RATs, PondRAT and ThemeForestRAT, are the second opportunity, because they are present and active during the earlier phases of the intrusion before Lazarus removes them. And the cleanup step itself is the third and arguably highest-fidelity opportunity: a sudden removal of earlier implants is not normal attacker behavior in a smash-and-grab, and a defender who sees earlier payloads being deliberately wiped should read it as evidence that a stealthier stage just arrived. The detection window is the noise — and once the noise stops, the assumption should be that RemotePE is in place. The same long-dwell logic appears across other memory-light, long-dwell nation-state implants and the broader nation-state long-dwell espionage pattern that defenders now have to plan around.

Scope and Impact

The scope of the RemotePE threat is best understood through the kind of intrusion it is built for. Fox-IT's assessment — that RemotePE is purpose-built for long-term observation campaigns rather than smash-and-grab theft — reframes the threat model for the financial-services and cryptocurrency firms in its sights. The danger is not a single noisy event that triggers an alert and is then contained. The danger is low-signal, long-dwell surveillance: an adversary with quiet, persistent access to a financial or crypto organization, watching, mapping, and waiting. For a sector that has already absorbed the documented scale of DPRK theft from the financial sector, that is the access that tends to precede a major theft rather than constitute one.

Several specifics are not established, and this account does not imply otherwise. Fox-IT's research does not publicly name the financial or cryptocurrency organizations that were targeted, and this article names none. Reporting varies on attribution: some coverage attributes RemotePE to the broad Lazarus Group and some to a specific Lazarus subgroup, and the honest position is that the public record is not definitive on which. The total number of intrusions in which RemotePE has been deployed has not been reported, and neither has the current, 2026 status of the RAT's development — the four samples Fox-IT obtained indicate activity between mid-2023 and mid-2024, but not what has happened since. The initial-access vector is documented only as social engineering; this article does not go beyond that. And how much, if anything, was stolen in these campaigns is not stated. What is established is the design of the tool and the shape of the chain that delivers it, and that is enough to act on. This places RemotePE within the documented pattern of patient, well-resourced DPRK intrusion of financial targets — the surveillance phase, not the payout.

Response and Attribution

For security operations teams at financial-services and cryptocurrency organizations, the central instruction is to move detection off the disk. RemotePE writes nothing to disk, so a detection strategy built around scanning storage will conclude that a compromised host is clean. Ensure EDR tooling performs in-memory scanning and behavioral detection, and confirm the team can capture memory images during incident response. Hunt for the earlier, noisier stages — PondRAT and ThemeForestRAT — and for DPAPILoader and RemotePELoader loader activity, including RemotePELoader's C2 beaconing, because those stages are the detection window before Lazarus removes them. Watch specifically for the four-phase progression: a social-engineering initial access, an early RAT, a credential-harvesting discovery phase, and then a sudden cleanup of earlier implants. That cleanup is itself the alarm.

For incident-response teams, memory capture should be treated as mandatory in any suspected Lazarus or finance-sector intrusion. A disk-only investigation conducted against a memory-only RAT will conclude "clean" and miss the most important stage entirely. Responders should assume long-term persistence and observation rather than a one-time event, and should treat the "earlier payloads were removed" pattern as evidence in its own right — not as housekeeping, but as the signature of a stealthier stage taking over.

For CISOs at finance and crypto firms, RemotePE fits a documented DPRK pattern: patient, well-resourced intrusion of financial targets that precedes large-scale theft. The board-level message is that the threat is long-term surveillance, not a quick hit, and that the organization may be under observation without a single noisy alert to show for it. Social engineering is the documented initial-access vector, which makes workforce hardening and phishing-resistant authentication direct, fundable mitigations. Budget for memory-forensics capability and for EDR with strong in-memory detection. RemotePE belongs in the same conversation as the documented scale of DPRK theft from the financial sector: it is the kind of quiet, durable access that the largest DPRK financial thefts are built on top of.

The CyberSignal Analysis

Signal 01 — RemotePE Is an Anti-Forensics Tool First and a RAT Second

Most coverage of RemotePE will describe it as another Lazarus remote access trojan, and that is accurate but incomplete. The more useful framing is that RemotePE is an anti-forensics design before it is anything else. Memory-only execution, no disk artifacts, EDR evasion, environmental keying — these are not capabilities aimed at what the RAT does to a victim, they are capabilities aimed at what an investigator can later prove. RemotePE is engineered around the post-incident review: it is built so that when the security team finally looks, there is nothing for them to see. For defenders, that reframing changes the priority. The question is not only "can we detect this RAT" but "would our investigation even be capable of finding a tool that lives only in memory." If the answer is no — if memory capture is not routine and EDR does not scan memory — then RemotePE has already won the part of the fight it was designed for.

Signal 02 — The Cleanup Step Is the Highest-Fidelity Signal Lazarus Gives You

The most operationally valuable detail in Fox-IT's research is the four-phase progression, and specifically its fourth phase: Lazarus removes the earlier payloads in favor of RemotePE. Defenders are trained to treat the arrival of malware as the alarm. RemotePE inverts that. The arrival of RemotePE produces no disk artifact and no reliable signal; what produces a signal is the disappearance of the earlier RATs. A sudden, deliberate cleanup of implants is not how a smash-and-grab operator behaves — it is how an actor behaves when it is swapping a noisy tool for a quiet one. A defender who sees PondRAT or ThemeForestRAT activity stop abruptly, or who sees earlier payloads being removed during an active intrusion, should not record that as the incident resolving itself. It should be escalated as the opposite: a high-fidelity indication that a stealthier stage has just been installed and the intrusion is going dark.

Signal 03 — This Is the Surveillance Phase That Precedes a Theft

RemotePE should not be read as an isolated malware story. It is the patient, low-signal end of a documented DPRK pattern in which long-term intrusion of financial and cryptocurrency targets sets up large-scale theft. The CrowdStrike 2026 financial-services threat reporting laid out the scale of DPRK theft from the sector; RemotePE is a clear look at the tradecraft that makes that scale possible. A RAT that runs only in memory, evades EDR, is keyed to its environment, and is deployed only after the noisier tools are cleaned up is not built for a single payout — it is built to maintain quiet access while the operators map an organization, harvest credentials, and wait. For CISOs at finance and crypto firms, the strategic takeaway is that the absence of a noisy incident is not evidence of safety. The most dangerous DPRK access is the access that never triggers an alert, and RemotePE is purpose-built to be exactly that.

Sources