Lazarus RemotePE — three-stage memory-only RAT (DPAPILoader/RemotePELoader/RemotePE); HellsGate+ETW patch
tool · tool:remotepe
Coverage timeline
1
first 2026-05-26 → last 2026-05-26
Briefs
1
1 distinct
Sources cited
10
8 hosts
Sections touched
1
deep_dive
Co-occurring entities
0
no co-occurrence
Story timeline
- 2026-05-26CTI Daily Brief — 2026-05-26
Where this entity is cited
- deep_dive1
Source distribution
- attack.mitre.org3 (30%)
- blog.fox-it.com1 (10%)
- cryptotimes.io1 (10%)
- nvd.nist.gov1 (10%)
- securelist.com1 (10%)
- thehackernews.com1 (10%)
- therecord.media1 (10%)
- trmlabs.com1 (10%)
All cited sources (10)
- blog.fox-it.comprimaryinlineFox-IT, 2026-05-22https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/
- attack.mitre.orginline`T1140`https://attack.mitre.org/techniques/T1140/
- attack.mitre.orginline`T1480.001`https://attack.mitre.org/techniques/T1480/001/
- attack.mitre.orginline`T1543.003`https://attack.mitre.org/techniques/T1543/003/
- cryptotimes.ioinlineCryptoTimes's post-mortem synthesis on 2026-05-17https://www.cryptotimes.io/2026/05/17/10-8-million-drained-inside-the-thorchain-exploit-that-froze-cross-chain-defi-for-13-hours/
- nvd.nist.govinlineCVE-2023-33241https://nvd.nist.gov/vuln/detail/CVE-2023-33241
- securelist.cominlineKaspersky Securelist, 2026-05-14https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/
- thehackernews.cominlineThe Hacker News, 2026-05-25https://thehackernews.com/2026/05/lazarus-deploys-remotepe-memory-only.html
- therecord.mediainlineTHORChainhttps://therecord.media/more-than-10-million-stolen-crypto-platform-thorchain
- trmlabs.cominlineTRM Labs, 2026-05-15https://www.trmlabs.com/resources/blog/thorchain-exploit-drains-usd-11m-across-at-least-nine-chains-what-trm-knows-now
Items in briefs about Lazarus RemotePE — three-stage memory-only RAT (DPAPILoader/RemotePELoader/RemotePE); HellsGate+ETW patch
No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.