Cryptopolitan
Lazarus Group Escalates Attacks with Fileless RemotePE Trojan Targeting Crypto and Banks
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The Lazarus Group, a North Korea-linked cybercrime organization, has intensified its operations against financial and cryptocurrency sectors using a sophisticated fileless Remote Access Trojan (RAT) called RemotePE. This malware operates entirely in memory, making it difficult to detect and leaving minimal forensic traces. The attack begins with social engineering tactics, where attackers impersonate employees of trading firms via Telegram and use fake scheduling links from platforms like Calendly and Picktime. The malware executes through a three-stage process involving DPAPILoader, RemotePELoader, and the final RemotePE payload, all while avoiding file system interactions. In the first four months of 2026, the Lazarus Group has reportedly stolen approximately $577 million in cryptocurrency, accounting for 76% of global crypto thefts. This marks a significant increase in their operations, with a total of $6 billion stolen since 2017, allegedly funding North Korea's weapons programs amid international sanctions.
Key Points: • Lazarus Group uses a fileless RAT named RemotePE to target banks and cryptocurrency firms. • The malware operates entirely in memory, evading traditional detection methods. • In 2026, Lazarus has stolen $577 million, representing 76% of all crypto thefts globally.