THE Lazarus APT group, linked to North Korea, has introduced a sophisticated fileless remote access Trojan (RAT) called RemotePE, designed to avoid detection and forensic analysis. This malware operates entirely in memory, utilizing a three-stage toolchain, starting with a loader (DPAPILoader) that exploits the Windows Data Protection API for encrypted payloads.
The final stage implements RemotePE, a C++ RAT that includes features such as file operations and process management without leaving traces on the filesystem. Researchers at Fox-IT observed that this malware is built for long-term campaigns, allowing the actor to maintain prolonged access before executing significant objectives like financial theft. Recommendations for defense include monitoring host-based indicators, such as suspicious DPAPI-encrypted blobs, and DNS queries to known command-and-control domains.