ctipilot.ch

RemotePE

tool · tool:remotepe

Lazarus three-stage memory-only RAT chain (DPAPILoader / RemotePELoader / RemotePE) with HellsGate and ETW patching.

Coverage timeline
1
first 2026-05-26 → last 2026-05-26
Peak priority
high
1 high
Sources cited
13
3 hosts
Sections touched
1
deep-dive
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
15
pinned v19.1 · see below

ATT&CK techniques

15 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1566Phishing×1

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

Execution TA0002

T1059Command and Scripting Interpreter×1

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1106Native API×1

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

Persistence TA0003

T1543Create or Modify System Process×1

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1543.003Create or Modify System Process: Windows Service×1

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

Privilege Escalation TA0004

T1055Process Injection×1

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1055.002Process Injection: Portable Executable Injection×1

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1543Create or Modify System Process×1

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1543.003Create or Modify System Process: Windows Service×1

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

Stealth TA0005

T1055Process Injection×1

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1055.002Process Injection: Portable Executable Injection×1

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1070Indicator Removal×1

Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1070.004Indicator Removal: File Deletion×1

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1140Deobfuscate/Decode Files or Information×1

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1480Execution Guardrails×1

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1480.001Execution Guardrails: Environmental Keying×1

Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

Defense Impairment TA0112

T1685Disable or Modify Tools×1

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

Command and Control TA0011

T1071Application Layer Protocol×1

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1071.001Application Layer Protocol: Web Protocols×1

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

Story timeline

  1. 2026-05-26Lazarus "RemotePE": a three-stage memory-only RAT that unhooks EDR and blinds ETW
    deep-dive

Where this entity is cited

  • deep-dive1

Source distribution

  • attack.mitre.org11 (85%)
  • blog.fox-it.com1 (8%)
  • thehackernews.com1 (8%)

Entries about RemotePE (1)

2026-05-26 · view entry permalink →

HIGH

Lazarus "RemotePE": a three-stage memory-only RAT that unhooks EDR and blinds ETW

Background. Fox-IT (NCC Group) attributes RemotePE to a Lazarus sub-cluster whose activity overlaps the AppleJeus, Citrine Sleet (UNC4736) and Gleaming Pisces operations against financial and cryptocurrency organisations, and notes capability lineage with the group's earlier PondRAT/POOLRAT tooling — for example a shared file-deletion routine (Fox-IT, 2026-05-22). The toolset is not new in the wild — Fox-IT recovered four RemotePE samples compiled between July 2023 and mid-2024 across multiple incident-response engagements — but neither the loader nor the final RAT had appeared on public malware repositories before this write-up, which is the point: the chain is engineered so that the components that matter never touch disk on the analyst's terms. The chain reads as a clean, modern North-Korea-nexus tradecraft reference: environmental keying, on-the-fly EDR unhooking, ETW suppression, and a final stage that exists only in memory (The Hacker News, 2026-05-25).

Stage 1 — DPAPILoader (on-disk, environmentally keyed). The first stage decrypts the second stage from disk using the Windows Data Protection API (DPAPI) keyed to the victim machine, so the payload is only decryptable on the intended host and yields nothing if copied to an analyst sandbox (T1480.001 Environmental Keying; T1140 Deobfuscate/Decode), with an additional single-byte XOR layer over the blob (Fox-IT, 2026-05-22). For persistence, DPAPILoader is registered as a Windows service DLL masquerading as C:\Windows\System32\Iassvc.dll — a near-homograph of the legitimate Internet Authentication Service DLL iassvcs.dll (note the dropped trailing s) — giving automatic-start execution under svchost (T1543.003 Windows Service). Encrypted payloads are stashed inside C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US\ among legitimate Cabinet metadata files, blending with normal OS content.

Stage 2 — RemotePELoader (fetch + unhook + blind). The second stage beacons over HTTP to a command-and-control server and waits to receive the final stage (T1071.001 Web Protocols). Before doing anything else it performs two evasion steps. It resolves Windows syscall numbers at runtime using HellsGate (the TartarusGate variant) — remapping ntdll/KnownDlls to recover clean syscall stubs for NtOpenSection, NtMapViewOfSection, NtUnmapViewOfSection, NtProtectVirtualMemory and NtClose, defeating userland EDR hooks placed on those NTAPI functions (T1562.001 Disable or Modify Tools; T1106 Native API). It then patches EtwEventWrite() in-process so the function returns immediately, suppressing Event Tracing for Windows generation and blinding ETW-backed telemetry (T1562.006 Indicator Blocking).

Stage 3 — RemotePE (memory-only RAT). The final stage is a C++ RAT loaded reflectively and executed entirely in process memory, never written to disk (T1055.002 Portable Executable Injection). Its capabilities are deliberately modest and operator-driven: shell command execution, file read/write, file deletion with a multi-pass overwrite (the routine Fox-IT links to PondRAT/POOLRAT), and C2 polling with configurable sleep intervals (T1059, T1070.004 File Deletion). Initial access is social-engineering via Telegram — the actor impersonates a prospective contact and sends scheduling links on look-alike Calendly/Picktime-style domains to lure the target into the loader (T1566).

Detection concepts (no IOCs). This chain is built to defeat disk forensics and static signatures, so the detection surface is behavioural and largely in memory:

  • Service-DLL anomaly. Alert on service-creation (Windows EID 7045) or service-DLL registration pointing at Iassvc.dll — the legitimate IAS DLL is iassvcs.dll; the missing s is the tell. Compare all service DLLs against a blessed-DLL allowlist.
  • ETW-write tampering. Monitor for in-process patching of ntdll!EtwEventWrite — EDRs that place kernel callbacks on writes to mapped ntdll regions will surface this; a sudden cessation of ETW events from a service process is a secondary signal.
  • Syscall-unhooking / KnownDlls remap. Surfaces as PEB module-list traversal and \KnownDlls section-object mapping from a non-loader context — visible via memory-integrity callbacks or process-tampering telemetry.
  • Memory-only payload. Hunt for HTTP(S) beacons from processes that have no backing PE on disk at the beacon origin, and periodically scan service-process memory for reflective-PE characteristics; disk imaging alone will not recover RemotePE.
  • Decoy-store writes. Sysmon EID 11 for files written under DeviceMetadataStore\en-US\ whose extensions are not the expected Cabinet/metadata types.

Hardening / mitigation. Enforce a service-DLL allowlist and block service registration of unsigned or unexpected DLLs in System32; restrict write access to DeviceMetadataStore to SYSTEM; enable AMSI and, where available, kernel-mode telemetry that does not depend solely on userland NTAPI hooks (the unhooking specifically targets userland hooks, so kernel-callback-based EDR sensors retain visibility). For the financial/treasury and any crypto-adjacent teams that are the named victim profile — including European financial institutions in Lazarus's target verticals — treat unsolicited Telegram scheduling links as a credential/loader-delivery TTP and route them through the same scrutiny as email attachments.

threat26 May 05:00Zmulti-sourceOpen finding ↗