Menu

Lazarus Group Deploys RemotePE RAT to Steal from Crypto and DeFi Firms

, , , , , , , , 0

8fd39f2e-6d94-48ea-9f41-5eb8c9d8494f

North Korean Hackers Target Crypto Firms with New Stealth Malware

The has stepped up attacks on banks, crypto exchanges, and DeFi platforms. They now use a powerful memory-only tool called that leaves almost no trace on infected computers.

Who Is the Lazarus Group?

The is a cyber team linked to North Korea. They have stolen money and data from financial companies around the world for years. Their recent work shows they like memory-only malware and clever tricks to avoid detection.

How the RemotePE Attack Works

Attackers start by sending messages on Telegram. They pretend to be from trading firms and invite victims to fake meeting links on sites like calendly.live. Once the victim clicks, the infection begins.

The attack uses three main stages:

  • First, a loader file named Iassvc.dll runs and hides itself by changing Windows services.
  • Next, RemotePELoader talks to command servers and pulls the main malware into memory only.
  • Finally, itself runs entirely in memory and waits for orders from the hackers.

Key Tricks Used by RemotePE

uses special methods like Hell’s Gate to skip normal security checks. It also turns off Windows logging so defenders see nothing. The malware can list files, run programs, delete data safely, and even load extra tools without writing anything to disk.

Related versions also work on Linux and macOS, showing the group plans attacks across many systems.

Who Gets Hit and Why

Trading firms, investment groups, and DeFi projects are the main targets. The goal is both to steal money and gather secret information. Because the malware runs only in memory, normal antivirus tools often miss it.

How to Protect Your Crypto Business

Companies should watch for strange network traffic to domains like aes-secure.net. Good endpoint tools that spot memory attacks are important. Staff must learn to ignore suspicious Telegram messages and fake calendar links. Keeping browsers updated also helps block possible zero-day tricks.

Regular checks for odd service changes and use of threat-hunting rules can catch the threat early.

Final Thoughts

The campaign shows how far the has come in hiding their tools. Crypto firms must stay alert and use strong behavioral detection to avoid big losses.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *