North Korea's most capable cyber unit has operationalised a fully fileless remote access trojan that leaves zero recoverable disk artefacts — and has already helped Pyongyang steal $577 million in the first four months of 2026.
Intelligence Lead
North Korea's Lazarus Group has deployed a new remote access trojan designated RemotePE, engineered to execute entirely within system memory and leave no recoverable artefacts on disk. Technical analysis published by Fox-IT and corroborated by The Hacker News confirms the tool employs advanced anti-forensic techniques that render standard endpoint detection and disk imaging ineffective. The deployment coincides with an assessed $577 million in cryptocurrency stolen by North Korean actors in the first four months of 2026 alone — funds assessed with high confidence to support Pyongyang's ballistic missile and nuclear weapons programmes.
Situation Report
Fox-IT researchers published technical findings on 22 May 2026 detailing the RemotePE attack chain against financial institutions and cryptocurrency platforms. The intrusion sequence initiates with a component designated DPAPILoader, which decrypts and loads a secondary loader — RemotePELoader — from disk using the Windows Data Protection API (DPAPI). DPAPI-based keying ties decryption to the victim machine's hardware and account context, ensuring the payload cannot be analysed outside the original environment. RemotePELoader then beacons to a command-and-control server; upon receiving the encrypted final stage, it loads RemotePE directly into memory and never writes the payload to disk.
RemotePE employs two documented evasion techniques. The first is Hell's Gate, a method of direct syscall execution that bypasses user-mode API hooks placed by endpoint detection and response (EDR) solutions. The second is Event Tracing for Windows (ETW) patching, which disables the kernel-level telemetry channel that most modern security products depend upon for behavioural analysis. Combined with DPAPI environmental keying, the result is a RAT with no recoverable filesystem presence and severely degraded detection telemetry. Employees at trading companies, investment institutions, and decentralised finance platforms are the confirmed primary targets, approached via spearphishing and social engineering lures.
TRM Labs research published in parallel confirms that North Korea has stolen $577 million in cryptocurrency in the first four months of 2026. Lazarus Group is assessed to account for 76% of all cryptocurrency theft recorded globally in 2026 to date, a concentration that indicates a deliberate and sustained state-directed campaign rather than opportunistic criminal activity.
Background & Context
Lazarus Group, operating under the authority of North Korea's Reconnaissance General Bureau, has conducted financially motivated cyber operations since at least 2016. The group's trajectory from destructive attacks — most notably the 2014 Sony Pictures intrusion and the 2017 WannaCry ransomware campaign — to sustained financial theft reflects a strategic adaptation to international sanctions. With conventional revenue channels denied, cryptocurrency theft has become a primary mechanism for funding state programmes. The United Nations Panel of Experts has documented a direct link between Lazarus-attributed proceeds and North Korea's ballistic missile procurement and development pipeline.
The introduction of RemotePE represents a measurable technical escalation from prior Lazarus tooling. Previous campaigns relied on malware families such as AppleJeus, BLINDINGCAN, and COPPERHEDGE — tools that, while sophisticated, left recoverable artefacts amenable to forensic analysis and post-incident attribution. The shift to fully memory-resident execution, environmental keying, and active telemetry suppression narrows the forensic window available to defenders and complicates timely attribution. The choice of DPAPI for environmental keying is particularly notable: it exploits a legitimate Windows cryptographic function, reducing the malware's anomaly footprint during static analysis. This reflects an adversary with deep familiarity with Windows internals and the detection logic of deployed enterprise security products.
Analysis & Assessment
Available technical evidence assessed with high confidence indicates RemotePE was developed specifically to defeat the class of EDR solutions — CrowdStrike, SentinelOne, Microsoft Defender for Endpoint — that dominate enterprise deployments at financial institutions. The dual application of Hell's Gate and ETW patching is not incidental; both techniques directly target the telemetry hooks that these platforms use for behavioural detection. This suggests the Lazarus Group conducted deliberate research against target security stacks before finalising the toolchain — a capability investment commensurate with the scale of the financial returns generated.
The $577 million figure warrants strategic framing. At this rate, North Korea is on course to steal approximately $1.7 billion in cryptocurrency in 2026, exceeding the $1.5 billion attributed to the Bybit exchange theft of February 2025. This trajectory is not consistent with a financially stressed adversary running improvised operations; it reflects a state that has industrialised cyber-enabled financial crime and allocated serious engineering resources to maintaining offensive advantage. Western financial regulators and cryptocurrency exchanges are operating, in effect, as contested terrain in a state-sponsored financial warfare campaign. Current defensive postures — which remain largely reactive and detection-dependent — are assessed as insufficient against a toolchain specifically engineered to suppress detection telemetry before alerts can fire.