North Korean hacker group Lazarus deployed the fileless Trojan RemotePE to attack encryption companies and banks.

CoinFeed reported on May 26 that, according to Cryptopolitan, cybersecurity analysts have discovered a new fileless remote access Trojan (RAT) called RemotePE. The Lazarus Group, a cybercrime organization believed to be linked to North Korea, is reportedly using this Trojan to attack banks and cryptocurrency companies. This Trojan runs entirely in memory, making it difficult to detect with traditional antivirus and forensic tools. Attackers impersonate employees of trading companies via Telegram, using fake Calendly and Picktime links for social engineering attacks. The malware is chained through three stages: DPAPILoader, RemotePELoader, and RemotePE. The entire process does not access the file system, and it evades detection by using process hijacking, anti-analysis checks, and encrypted C2 communication.