RemotePE — The Lazarus RAT that lives in memory

Summary

A subgroup of Lazarus — the North Korea-linked APT known for cryptocurrency heists worth hundreds of millions of dollars — has retired its older tooling (ThemeForestRAT, PondRAT) in favour of a three-stage memory-only chain that Fox-IT/NCC Group named RemotePE. The final payload runs entirely in RAM and is never written to disk, so forensic imaging of the disk yields almost nothing.

What makes this campaign dangerous to a business is not a single exploit but the actor's ability to maintain stealthy, long-term access: they can quietly observe for months before the final objective (data theft or a large-scale financial heist). The confirmed victim was a decentralized finance (DeFi) organisation, with initial access via Telegram social engineering.

Who should pay attention: crypto exchanges, DeFi funds, fintechs, and any organisation holding digital assets or wallet keys. One priority action: threat-hunt for DPAPI-encrypted blobs in unexpected directories and DLLs masquerading as legitimate Windows services — these are the most reliable host-based indicators, because the network C2 is crafted to blend in with legitimate Microsoft traffic.

Attribution & context

Fox-IT/NCC Group attribute this campaign to a Lazarus subgroup with high confidence, based on overlap with known activity clusters: AppleJeus, Citrine Sleet, UNC4736 and Gleaming Pisces. This is the same actor previously seen using ThemeForestRAT and PondRAT — and RemotePE is the "more sophisticated" replacement for those families observed in one specific investigation.

Two behavioural tells reinforce the attribution: (1) the seven-pass secure-deletion command matches the pattern used by PondRAT and POOLRAT — both previously associated with this actor; and (2) all six successful payload deliveries fell within daytime hours in the Korea Standard Time zone (KST, UTC+9), consistent with operator working hours. Per Security Affairs, initial access followed a familiar Lazarus pattern: luring the victim over Telegram, posing as employees of a legitimate trading firm and scheduling fake meetings through spoofed Calendly/Picktime domains.

Kill chain / Attack flow

The toolset forms a three-stage chain, each stage doing exactly one job and gating the next:

Figure 1 — The three-stage chain: DPAPILoader decrypts & loads RemotePELoader from disk; RemotePELoader retrieves & executes RemotePE in memory. Source: Fox-IT International blog.

Technical analysis

Stage 1 — DPAPILoader: a loader bound to the victim environment

DPAPILoader is a DLL with a single job: decrypt an encrypted on-disk payload and load it into memory. In the investigation it was found at C:\Windows\System32\Iassvc.dll, installed under a service named "Internet Authentication Service" — auto-starting at boot for persistence. The filename and service name deliberately mimic the legitimate Windows Server IAS (whose real DLL is iassvcs.dll — note the extra 's').

The sample first checks whether it is running under svchost.exe, then scans every file matching C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US*.*. This directory normally holds Microsoft Cabinet files. DPAPILoader skips any file beginning with the Cabinet magic bytes (MSCF / 4D 53 43 46) to filter out legitimate packages, then DPAPI-decrypts any file larger than 50 KiB and reflectively loads it with libpeconv.

Why is DPAPI such a valuable choice for the attacker? DPAPI ties decryption keys to a specific user account on that specific machine. The consequences:

• The on-disk payload is never in plaintext; uploading a sample to VirusTotal is useless without the victim's DPAPI keys → static analysis is effectively impossible.
• Each deployment produces a different encrypted blob → the hash differs across victims, defeating signature/hash-based detection. After DPAPI decryption, the payload is additionally XORed with 0x8D. This is a form of environmental keying (T1480.001).

Three DPAPILoader samples observed (spanning ~9 months):

PE timestamp	DLL	Export	Obfuscation
2023-11-14	Iassvc.dll	ServiceMain	XOR 0x8D
2024-02-21	sspicli.dll	InitSecurityInterfaceW	XOR 0x8D
2024-08-21	wmiclnt.dll	WmiOpenBlock	DPAPI + XOR 0x8D

The sspicli.dll sample is DLL side-loaded via ESET's edp.exe; the wmiclnt.dll sample embeds the encrypted payload directly in the DLL, removing the dependency on a separate on-disk file.

Stage 2 — RemotePELoader: an operator-controlled loader

RemotePELoader is decrypted from the DPAPI payload. It has no RAT functionality; its sole job is to fetch the core module from C2 and load it into memory. Before anything else, it applies two evasion techniques:

1. HellsGate (the TartarusGate variant) — resolves Windows syscall numbers at runtime by scanning stubs in ntdll.dll (obtaining NtOpenSection, NtMapViewOfSection, NtUnmapViewOfSection, NtProtectVirtualMemory, NtClose). Using direct syscalls, it remaps each DLL from the clean \KnownDlls section, removing all userland hooks placed by security products.
2. ETW patching — overwrites EtwEventWrite() in the current process with:

48 33 c0          ; XOR  RAX, RAX
c3                ; RET

This makes EtwEventWrite return 0 immediately, suppressing all ETW telemetry that many EDRs rely on.

Configuration is read from the same DeviceMetadataStore directory, distinguished from the PE payload by size (config < 20 KiB), DPAPI-decrypted then XORed with 0x8D. The config struct holds: sleep intervals between polls, up to 3 C2 URLs, an optional proxy, and a configurable User-Agent.

C2 over HTTP POST. Host information is carried in the Cookie header; a check-in request is identified by at_check=true. The server returns JSON whose odata.metadata key contains the session ID; the at_check cookie is then replaced with ai_session. The PE payload is returned AES-GCM encrypted + Base64-encoded. All messages (except the initial check-in) are AES-encrypted, with key/nonce derived from a SplitMix64 seed produced by a Mersenne Twister PRNG.

In Fox-IT's C2 emulation, the server did not return a payload immediately — suggesting an actor-in-the-loop model where the operator manually decides when to deliver it.

Stage 3 — RemotePE: the in-memory RAT

RemotePE is a full-featured RAT, written in object-oriented C++, multithreaded, sharing a codebase with RemotePELoader (same C2Message struct, same on-disk config file). Both stages enforce chain integrity by checking lpReserved == 0x1000 in DllMain — if not loaded by the previous stage, they won't run.

Two main threads: IChannelController (C2 comms) and IMiddleController (command processing). While sleeping, RemotePE also checks for a Windows event named 554D5C1F-AABE-49E4-AB57-994D22ECED28 — if present, it wakes immediately. No component of the toolset creates this event → it is an out-of-band wake mechanism triggered externally by the operator.

Six command categories (identified by C++ RTTI class names):

Class (ID)	Func ID	Function
IConfigProfile (0)	0–1	Get / set the C2 configuration
IConsole (1)	0–6	Get/change CWD; execute a command; list/register/invoke/unload modules (plugin DLLs)
IFileExplorer (2)	0–6	Enumerate drives & directories; delete/rename/read/write files; ZIP file/dir and return it
IProcess (3)	0–4	List/kill processes; find files by env variable; create a process (incl. create-as-user)
ITimer (4)	0–2	Sleep X minutes (non-persistent or persisted to config); exit RemotePE
IPing (5)	—	No-op

Two notable details:

• Secure deletion: the delete command overwrites each file with constant bytes seven times before renaming and deleting it — a pattern matching PondRAT/POOLRAT (anti-forensics).
• Plugin system: the operator dynamically registers DLLs at runtime. Payloads must be valid both as a Windows DLL and as reflective shellcode — a hallmark of pe_to_shellcode ("shellcodified DLLs"). The C2 protocol mirrors RemotePELoader's, with one difference: RemotePE uses the MUID cookie instead of MS0. Command output is MSZIP-compressed (via cabinet.dll), AES-GCM encrypted, Base64-encoded, then returned in the armAuthorization JSON key. The JSON/cookie names (armAuthorization, odata.metadata, MSFPC, etc.) deliberately overlap with the Microsoft ecosystem so the traffic looks legitimate.

C2 infrastructure

The infrastructure runs on Namecheap shared hosting — consistent with the earlier ThemeForestRAT/PondRAT campaigns. Shared hosting makes IP-based blocking largely ineffective, since the same server also hosts legitimate domains. Fox-IT expanded detection to additional domains/servers via C2 fingerprinting (see IOCs).

Development & delivery timeline

Four RemotePE samples show continuous development from mid-2023 → mid-2024 (mainly in config-loading mechanism and bot identification):

PE timestamp	Config loading	Bot ID
2023-07-04	Find DPAPI config on disk	SOFTWARE\Microsoft\SQMClient\MachineId
2023-10-17	C2 URLs passed via lpThreadParameter	SOFTWARE\Microsoft\SQMClient\MachineId
2024-04-18	Find DPAPI config on disk	SOFTWARE\Microsoft\SQMClient\MachineId
2024-05-11	DPAPI config path passed via lpThreadParameter	Software\Microsoft\Cryptography\MachineGuid

C2 payload delivery times (6 successful sessions) — all fell within KST daytime (08:00–19:00):

C2 session (UTC)	Payload returned (UTC)	Delta	Payload returned (KST)
2024-02-07 00:21	2024-02-07 01:09	48 min	2024-02-07 10:09
2024-12-09 08:48	2024-12-09 09:08	20 min	2024-12-09 18:08
2024-12-10 23:57	2024-12-11 00:46	49 min	2024-12-11 09:46
2025-01-10 08:21	2025-01-10 08:21	0 min	2025-01-10 17:21
2025-02-10 21:56	2025-02-10 23:03	67 min	2025-02-11 08:03
2025-07-09 11:57	2025-07-10 07:50	20 hrs	2025-07-10 16:50

Indicators of Compromise

Domains are defanged. Source: Fox-IT / NCC Group.

Domains (C2)

livedrivefiles[.]com          (2023-07-17 → 2025-07-27)
aes-secure[.]net              (2023-09-18 → still active)
azureglobalaccelerator[.]com  (2023-09-18 → still active)
msdeliverycontent[.]com       (2024-02-19 → 2026-05-09)
akamaicloud[.]com             (2024-02-19 → 2025-02-14)
intelcloudinsights[.]com      (2024-04-13 → 2026-04-23)
devicelinkintel[.]com         (2024-08-16 → still active)

Host-based

file.name   : Iassvc.dll                              (DPAPILoader)
event.name  : 554D5C1F-AABE-49E4-AB57-994D22ECED28    (RemotePE wake event)
service     : "Internet Authentication Service" (Ias) running servicedll Iassvc.dll
path        : C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US*.*  (DPAPI blobs / config)

SHA-256 (samples)

4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874  DPAPILoader (Iassvc.dll)
aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039  DPAPILoader (wmiclnt.dll)
159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3  DPAPILoader (sspicli.dll)
7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68  RemotePELoader (decrypted from disk)
37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef  RemotePE (2023-07-04)
6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d  RemotePE (2023-10-17)
62e040a32aac2d2faa8d2bffa2cf7ab662228cebf9bb78eaa0a633c0b729d119  RemotePE (2024-04-18)
710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8  RemotePE (2024-05-11)

DFIR note: DPAPILoader hashes differ across victims (environmental keying), so loader hashes have low fidelity for broad detection. Prioritise behavioural and host-based indicators.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Use in this campaign
Initial Access	Phishing: Spearphishing via Service	T1566.003	Telegram social engineering, fake meetings
Execution	Native API	T1106	Direct syscalls (HellsGate/TartarusGate)
Execution	User Execution	T1204	Victim runs file via the fake "meeting"
Persistence	Create/Modify System Process: Windows Service	T1543.003	"Internet Authentication Service"
Defense Evasion	Execution Guardrails: Environmental Keying	T1480.001	DPAPI + XOR 0x8D bind to victim
Defense Evasion	Reflective Code Loading	T1620	libpeconv; in-memory RAT
Defense Evasion	Masquerading: Match Legitimate Name/Location	T1036.005	Iassvc.dll, Microsoft-like traffic
Defense Evasion	Hijack Execution Flow: DLL Side-Loading	T1574.002	sspicli.dll via ESET edp.exe
Defense Evasion	Impair Defenses: Disable/Modify Tools	T1562.001	EDR unhooking via \KnownDlls
Defense Evasion	Impair Defenses: Indicator Blocking	T1562.006	Patch EtwEventWrite
Defense Evasion	Obfuscated Files or Information	T1027	DPAPI/XOR/AES-GCM payload
Defense Evasion	Indicator Removal: File Deletion	T1070.004	7-pass secure delete
Discovery	Process Discovery	T1057	IProcess
Discovery	File and Directory Discovery	T1083	IFileExplorer
Collection	Archive Collected Data	T1560	ZIP file/dir command
Collection	Data from Local System	T1005	Read/write files
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	HTTP POST C2
Command and Control	Encrypted Channel: Symmetric Cryptography	T1573.001	AES-GCM
Command and Control	Data Encoding: Standard Encoding	T1132.001	Base64
Command and Control	Proxy	T1090	Proxy configured in config
Exfiltration	Exfiltration Over C2 Channel	T1041	Output returned over C2

Detection

YARA (source: Fox-IT / NCC Group)

The YARA rules below were published by Fox-IT/NCC Group for defensive purposes. Reproduced verbatim for deployment.

rule Lazarus_DPAPILoader_Hunting {
  meta:
    description = "Hunting rule to detect DPAPILoader, a loader used to load RemotePE."
    author      = "Fox-IT / NCC Group"
  strings:
    $msg_1 = "[!] Could not allocate memory at the desired base!\n"
    $msg_2 = "[!] Virtual section size is out ouf bounds: "
    $msg_3 = "[!] Invalid relocDir pointer\n"
    $msg_4 = "[-] Not supported relocations format at %d: %d\n"
    $msg_5 = "[!] Cannot fill imports into 32 bit PE via 64 bit loader!\n"
  condition:
    any of them and pe.imports("Crypt32.dll", "CryptUnprotectData")
}
 
rule Lazarus_RemotePE_C2_strings {
  meta:
    description = "RemotePE strings used for C2."
    author      = "Fox-IT / NCC Group"
  strings:
    $a = "MicrosoftApplicationsTelemetryDeviceId" wide ascii xor
    $b = "armAuthorization" wide ascii xor
    $c = "ai_session" wide ascii xor
  condition:
    uint16(0) == 0x5A4D and all of them
}
 
rule Lazarus_RemotePE_class_strings {
  meta:
    description = "RemotePE class strings."
    author      = "Fox-IT / NCC Group"
  strings:
    $a = "IMiddleController" ascii wide xor
    $b = "IChannelController" ascii wide xor
    $c = "IConfigProfile" ascii wide xor
    $d = "IKernelModule" ascii wide xor
  condition:
    all of them
}

Sigma (original, derived from IOCs/TTPs)

title: Lazarus DPAPILoader - Suspicious Internet Authentication Service DLL
id: 9b2c1f6e-4a3d-4e21-bf10-remotepe000001
status: experimental
description: Detects a service masquerading as IAS running Iassvc.dll instead of the legitimate iassvcs.dll
references:
  - https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/
author: FPT IS Threat Intel
logsource:
  product: windows
  service: system
detection:
  selection_service:
    EventID: 7045
    ServiceName: 'Ias'
    ImagePath|contains: 'Iassvc.dll'
  filter_legit:
    ImagePath|contains: 'iassvcs.dll'
  condition: selection_service and not filter_legit
falsepositives:
  - None; the legitimate IAS DLL is iassvcs.dll
level: high

title: Lazarus RemotePE C2 - Known Domain Beaconing
id: 9b2c1f6e-4a3d-4e21-bf10-remotepe000002
status: experimental
description: DNS/HTTP to known RemotePE C2 domains
references:
  - https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/
author: FPT IS Threat Intel
logsource:
  category: dns
detection:
  selection:
    QueryName:
      - 'livedrivefiles.com'
      - 'aes-secure.net'
      - 'azureglobalaccelerator.com'
      - 'msdeliverycontent.com'
      - 'akamaicloud.com'
      - 'intelcloudinsights.com'
      - 'devicelinkintel.com'
  condition: selection
falsepositives:
  - Very low; these are actor-controlled domains
level: critical

KQL — Microsoft Sentinel / Defender XDR (original)

1) Beaconing to C2 domains

let c2Domains = dynamic([
  "livedrivefiles.com","aes-secure.net","azureglobalaccelerator.com",
  "msdeliverycontent.com","akamaicloud.com","intelcloudinsights.com",
  "devicelinkintel.com"
]);
union isfuzzy=true
( DeviceNetworkEvents
  | where RemoteUrl has_any (c2Domains) or RemoteIPType == "Public" and RemoteUrl has_any (c2Domains)
  | project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP ),
( DeviceDnsEvents
  | where DnsQuery has_any (c2Domains)
  | project Timestamp, DeviceName, InitiatingProcessFileName, DnsQuery )
| sort by Timestamp desc

2) DPAPILoader: service masquerading as IAS

DeviceEvents
| where ActionType == "ServiceInstalled"
| extend p = parse_json(AdditionalFields)
| where tostring(p.ServiceName) =~ "Ias"
       and tostring(p.ImagePath) has "Iassvc.dll"
       and tostring(p.ImagePath) !has "iassvcs.dll"
| project Timestamp, DeviceName, ServiceName=tostring(p.ServiceName), ImagePath=tostring(p.ImagePath)

3) DLL side-loading via edp.exe (ESET) — DLL in an unexpected location

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "edp.exe"
| where FileName in~ ("sspicli.dll")
| where FolderPath !startswith @"C:\Windows\System32"
| project Timestamp, DeviceName, InitiatingProcessFolderPath, FileName, FolderPath, SHA256

4) Hunt: unexpected (non-CAB) files in DeviceMetadataStore — candidate DPAPI blobs

DeviceFileEvents
| where FolderPath has @"\Microsoft\Windows\DeviceMetadataStore\"
| where FileName startswith "en-US"
| where ActionType in ("FileCreated","FileModified")
// Prioritise files >50KiB created by a process other than a legitimate metadata service
| where InitiatingProcessFileName !in~ ("svchost.exe","TiWorker.exe","DeviceCensus.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, FileName, FileSize

Caveat: query (4) needs environment-specific tuning — DeviceMetadataStore holds legitimate files; focus on the anomalous creating process and file size. EDR unhooking and ETW patching leave almost no direct KQL telemetry, so prioritise (1)–(3) plus DPAPI-blob hunting.

Expert assessment

This toolset is a leap in operational security (OPSEC), not firepower. Our analysis team reads RemotePE as a deliberate Lazarus shift from "noisy intrusion" toward low-footprint, long-term surveillance. Three properties combine into a genuinely hard DFIR problem:

1. DPAPI environmental keying — renders sample collection meaningless without the victim's keys. In the investigation, Fox-IT could only decrypt the payload because a full forensic image (including the user's DPAPI keys) was available.
2. Memory-only final stage — disk imaging recovers no RemotePE. DFIR must shift focus to memory forensics and capture artefacts before the machine reboots.
3. Actor-in-the-loop — payloads are delivered only manually, during KST working hours. This is both an attribution signal and a sign that the best tooling is reserved for high-value targets, limiting exposure. Sophistication: high — not because any single technique is novel (HellsGate, ETW patching, DPAPI, reflective loading are all known), but because of how they are chained to minimise the forensic footprint at every layer.

Relevance to Vietnam. The crypto/Web3/DeFi ecosystem in Vietnam and Southeast Asia has long been in scope for North Korean financial groups. The "fake trading-firm employee + spoofed meeting" social-engineering pattern fits crypto dev teams, investment funds, and freelance developers well — environments where receiving files or doing a "test task" from a "recruiter" is normal. For SOCs in Vietnam, the most realistic exposure is not malware "slipping past" EDR, but the out-of-band initial-access stage (Telegram, meeting links) — exactly where enterprise telemetry is thinnest.

Recommendations

Immediate (0–24h)

• Host hunt: the Iassvc.dll DLL; the Ias service running Iassvc.dll (instead of iassvcs.dll); the event 554D5C1F-AABE-49E4-AB57-994D22ECED28; unexpected blobs in DeviceMetadataStore.
• Block/alert on DNS & proxy for the 7 C2 domains in the IOCs section.
• On suspected hosts: do not reboot; capture a memory image before triage. Short-term (1–7 days)
• Deploy Fox-IT's YARA across sample repositories & file servers; deploy the Sigma/KQL above into the SIEM.
• Audit DLL side-loading with AV/EDR binaries (e.g. edp.exe) — control DLL load directories.
• Train crypto/dev teams on the "recruiter/trading-partner" lure over Telegram; establish a verification process before opening files or accepting unknown meeting invites. Long-term
• Monitor for ETW tampering & unhooking behaviour rather than relying solely on userland hooks; prefer EDR with kernel telemetry.
• Make memory forensics part of the standard DFIR playbook for any fileless suspicion.
• Pivot on infrastructure (Namecheap shared hosting + characteristic cookie/JSON traits) instead of blocking single IPs.

References

• RemotePE: The Lazarus RAT that lives in memory — Fox-IT International blog (2026-05-22) — original technical report, IOCs & YARA.
• Lazarus APT unveils fileless RAT designed to evade detection — Security Affairs (2026-05-26) — news coverage & initial-access context.
• Three Lazarus RATs coming for your cheese — Fox-IT (2025) — predecessor research (ThemeForestRAT, PondRAT).
• MITRE ATT&CK — T1480.001 Environmental Keying
• libpeconv — hasherezade · TartarusGate · HellsGate · pe_to_shellcode