Lazarus Group Escalates Attacks with Fileless RemotePE Trojan Targeting Crypto and Banks

Lazarus Group Escalates Attacks with Fileless RemotePE Trojan Targeting Crypto and Banks

First seen 25 May 2026, 16:31 UTC ThehackernewsCryptopolitanBitgetMexc.CoWeex+6 88% similarity 77.9

Article Content

Browse articles
ThreatCluster

The Lazarus Group, a North Korea-linked cybercrime organization, has intensified its operations against financial and cryptocurrency sectors using a sophisticated fileless Remote Access Trojan (RAT) called RemotePE. This malware operates entirely in memory, making it difficult to detect and leaving minimal forensic traces. The attack begins with social engineering tactics, where attackers impersonate employees of trading firms via Telegram and use fake scheduling links from platforms like Calendly and Picktime. The malware executes through a three-stage process involving DPAPILoader, RemotePELoader, and the final RemotePE payload, all while avoiding file system interactions. In the first four months of 2026, the Lazarus Group has reportedly stolen approximately $577 million in cryptocurrency, accounting for 76% of global crypto thefts. This marks a significant increase in their operations, with a total of $6 billion stolen since 2017, allegedly funding North Korea's weapons programs amid international sanctions.

Key Points: • Lazarus Group uses a fileless RAT named RemotePE to target banks and cryptocurrency firms. • The malware operates entirely in memory, evading traditional detection methods. • In 2026, Lazarus has stolen $577 million, representing 76% of all crypto thefts globally.

ThreatCluster AI

Timeline

2025-09-01
RemotePE malware first discovered
Cybersecurity analysts identified the RemotePE RAT as a new threat used by the Lazarus Group.
Mexc.Co
2026-01-01
Lazarus Group steals $577 million in crypto
In the first four months of 2026, Lazarus Group's thefts accounted for 76% of global crypto thefts.
Mexc.Co
2026-05-25
Lazarus Group's RemotePE campaign reported
Multiple cybersecurity articles confirm the ongoing exploitation of RemotePE against financial sectors.
Rescana
2026-05-26
Ongoing RemotePE attacks highlighted
Cybersecurity firms continue to report on the sophistication and impact of the RemotePE RAT in recent attacks.
Panewslab

Community

Browse all →