ctipilot.ch

Home · Live brief · Daily brief 2026-05-26

Lazarus "RemotePE": a three-stage memory-only RAT that unhooks EDR and blinds ETW

high threat discovered 2026-05-26 05:00 UTC deep dive

Part of run 2026-05-26-ae9d0d4b (intel · Claude Opus 4.7)

Background. Fox-IT (NCC Group) attributes RemotePE to a Lazarus sub-cluster whose activity overlaps the AppleJeus, Citrine Sleet (UNC4736) and Gleaming Pisces operations against financial and cryptocurrency organisations, and notes capability lineage with the group's earlier PondRAT/POOLRAT tooling — for example a shared file-deletion routine (Fox-IT, 2026-05-22). The toolset is not new in the wild — Fox-IT recovered four RemotePE samples compiled between July 2023 and mid-2024 across multiple incident-response engagements — but neither the loader nor the final RAT had appeared on public malware repositories before this write-up, which is the point: the chain is engineered so that the components that matter never touch disk on the analyst's terms. The chain reads as a clean, modern North-Korea-nexus tradecraft reference: environmental keying, on-the-fly EDR unhooking, ETW suppression, and a final stage that exists only in memory (The Hacker News, 2026-05-25).

Stage 1 — DPAPILoader (on-disk, environmentally keyed). The first stage decrypts the second stage from disk using the Windows Data Protection API (DPAPI) keyed to the victim machine, so the payload is only decryptable on the intended host and yields nothing if copied to an analyst sandbox (T1480.001 Environmental Keying; T1140 Deobfuscate/Decode), with an additional single-byte XOR layer over the blob (Fox-IT, 2026-05-22). For persistence, DPAPILoader is registered as a Windows service DLL masquerading as C:\Windows\System32\Iassvc.dll — a near-homograph of the legitimate Internet Authentication Service DLL iassvcs.dll (note the dropped trailing s) — giving automatic-start execution under svchost (T1543.003 Windows Service). Encrypted payloads are stashed inside C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US\ among legitimate Cabinet metadata files, blending with normal OS content.

Stage 2 — RemotePELoader (fetch + unhook + blind). The second stage beacons over HTTP to a command-and-control server and waits to receive the final stage (T1071.001 Web Protocols). Before doing anything else it performs two evasion steps. It resolves Windows syscall numbers at runtime using HellsGate (the TartarusGate variant) — remapping ntdll/KnownDlls to recover clean syscall stubs for NtOpenSection, NtMapViewOfSection, NtUnmapViewOfSection, NtProtectVirtualMemory and NtClose, defeating userland EDR hooks placed on those NTAPI functions (T1562.001 Disable or Modify Tools; T1106 Native API). It then patches EtwEventWrite() in-process so the function returns immediately, suppressing Event Tracing for Windows generation and blinding ETW-backed telemetry (T1562.006 Indicator Blocking).

Stage 3 — RemotePE (memory-only RAT). The final stage is a C++ RAT loaded reflectively and executed entirely in process memory, never written to disk (T1055.002 Portable Executable Injection). Its capabilities are deliberately modest and operator-driven: shell command execution, file read/write, file deletion with a multi-pass overwrite (the routine Fox-IT links to PondRAT/POOLRAT), and C2 polling with configurable sleep intervals (T1059, T1070.004 File Deletion). Initial access is social-engineering via Telegram — the actor impersonates a prospective contact and sends scheduling links on look-alike Calendly/Picktime-style domains to lure the target into the loader (T1566).

Detection concepts (no IOCs). This chain is built to defeat disk forensics and static signatures, so the detection surface is behavioural and largely in memory:

  • Service-DLL anomaly. Alert on service-creation (Windows EID 7045) or service-DLL registration pointing at Iassvc.dll — the legitimate IAS DLL is iassvcs.dll; the missing s is the tell. Compare all service DLLs against a blessed-DLL allowlist.
  • ETW-write tampering. Monitor for in-process patching of ntdll!EtwEventWrite — EDRs that place kernel callbacks on writes to mapped ntdll regions will surface this; a sudden cessation of ETW events from a service process is a secondary signal.
  • Syscall-unhooking / KnownDlls remap. Surfaces as PEB module-list traversal and \KnownDlls section-object mapping from a non-loader context — visible via memory-integrity callbacks or process-tampering telemetry.
  • Memory-only payload. Hunt for HTTP(S) beacons from processes that have no backing PE on disk at the beacon origin, and periodically scan service-process memory for reflective-PE characteristics; disk imaging alone will not recover RemotePE.
  • Decoy-store writes. Sysmon EID 11 for files written under DeviceMetadataStore\en-US\ whose extensions are not the expected Cabinet/metadata types.

Hardening / mitigation. Enforce a service-DLL allowlist and block service registration of unsigned or unexpected DLLs in System32; restrict write access to DeviceMetadataStore to SYSTEM; enable AMSI and, where available, kernel-mode telemetry that does not depend solely on userland NTAPI hooks (the unhooking specifically targets userland hooks, so kernel-callback-based EDR sensors retain visibility). For the financial/treasury and any crypto-adjacent teams that are the named victim profile — including European financial institutions in Lazarus's target verticals — treat unsolicited Telegram scheduling links as a credential/loader-delivery TTP and route them through the same scrutiny as email attachments.

nation-state espionage infostealer north-korea-nexus global europe