RemotePE: Inside Lazarus’s In-Memory RAT and Its DPAPI-Keyed Three-Stage Loader Chain

Executive Summary

Fox-IT (NCC Group) details RemotePE, a final-stage in-memory remote-access tool used by the Lazarus group (DPRK) against financial and cryptocurrency targets. RemotePE is delivered through a three-stage chain: DPAPILoader, an environmentally-keyed first-stage that uses DPAPI to bind decryption to the victim machine; RemotePELoader, an operator-controlled HTTP beacon that uses HellsGate-style direct syscalls, ETW patching and DLL unhooking to retrieve and decrypt the next stage from C2; and RemotePE itself — a reflective in-memory PE whose object model exposes a structured command interface (IConsole, IFileExplorer, IProcess, IConfigProfile, ITimer, IPing) and a 7-pass secure-delete routine that lines up cleanly with prior Lazarus families such as POOLRAT, ThemeForestRAT and PondRAT.

The campaign window spans July 2023 – May 2026 and shows an actor-in-the-loop delivery model: out of six recorded C2 sessions, payload return latency ranges from instant to ~20 hours, all converging on Korean Standard Time business hours. C2 traffic rides AES-GCM with SplitMix64-derived keys, MSZIP-compressed responses, and Microsoft-themed cookie / JSON-key masquerading (MicrosoftApplicationsTelemetryDeviceId, ai_session, armAuthorization, odata.metadata). The Fox-IT post ships a full IOC set, four YARA rules, infrastructure on Namecheap shared hosting, and a Dissect-based forensic workflow for offline DPAPI decryption.

Summary — The Three-Stage Chain

The chain is deliberately split so that each stage hides what comes after it. DPAPILoader is the only artefact on disk that is cryptographically tied to the victim; without that machine’s DPAPI key, neither the loader nor the configuration is decryptable in a lab. RemotePELoader is decrypted into memory by DPAPILoader and reaches out to the operator-controlled C2 for the third stage. RemotePE itself never touches disk: the operator returns it on demand, RemotePELoader maps it reflectively, and it executes entirely from memory.

DPAPILoader: First-Stage, Environmentally-Keyed Loader

DPAPILoader is the persistent component. The earliest sample observed by Fox-IT masquerades as Iassvc.dll — the legitimate Microsoft Internet Authentication Service DLL — and is loaded by svchost.exe under a Windows service called Ias with the matching display name and description copied straight from the real IAS service. Service registration looks like a legitimate Microsoft component to any quick review:

          name (string) = Ias
   displayname (string) = Internet Authentication Service
   description (string) = Internet Authentication Service (IAS) is a component of Windows Server operating systems that provides centralized user authentication, authorization and accounting.
      servicedll (path) = %SystemRoot%system32Iassvc.dll
       imagepath (path) = %systemroot%system32svchost.exe
imagepath_args (string) = -k netsvcs -p
    objectname (string) = LocalSystem
         start (string) = Auto Start (2)
          type (string) = Service - Own Process (0x10)
  errorcontrol (string) = Normal (1)

DPAPI Encryption

DPAPILoader looks for an encrypted PE payload and configuration blob inside C:ProgramDataMicrosoftWindowsDeviceMetadataStoreen-US*.*, calls CryptUnprotectData() with the local DPAPI key, then XOR-decodes the cleartext with constant 0x8D. The decrypted PE is mapped reflectively via libpeconv and executed in process. Because DPAPI keys are derived from the victim’s logon credentials, this is textbook T1480.001 Environmental Keying — a sample lifted from one machine cannot be detonated on another.

For incident-response work, Fox-IT’s open-source Dissect framework can replay the decryption offline given the victim’s DPAPI master keys, producing the original PE for analysis:

Observed DPAPILoader Samples

RemotePELoader: Second-Stage, Operator-Controlled Loader

RemotePELoader is the second-stage in-memory loader. Its single job is to retrieve and execute the next-stage PE (RemotePE) returned by the operator on demand. It does not stage the final RAT on disk and does not write logs — everything happens inside the same svchost.exe process the DPAPILoader runs in.

HellsGate & EDR Evasion

RemotePELoader uses HellsGate-style direct syscalls (lifted from TartarusGate) to resolve Nt* syscall numbers at runtime, bypassing any userland EDR hooks installed in ntdll.dll. It also unhooks the rest of ntdll by re-mapping a fresh copy from the KnownDlls object directory — a clean, EDR-friendly path that does not need to touch disk — and it patches EtwEventWrite with a two-instruction stub that zeroes the return value and returns immediately, silencing kernel-bound ETW telemetry from that process:

48 33 c0          ; XOR    RAX, RAX
c3                ; RET

Configuration

The RemotePELoader configuration is itself DPAPI-encrypted on disk, in the same DeviceMetadataStoreen-US*.* path. The decrypted structure carries the C2 URLs (up to three), an optional proxy, the polling-interval window, and the next wake-up timestamp:

struct RemotePEC2Config     // sizeof=0xb38
{
  int dwReconnectMinutes;   // minutes to wait after C2 session ends
  int dwSleepUntilEpoch;    // UNIX epoch wake-up timestamp
  int dwSleepMin;           // minimum sleep time between C2 polls
  int dwSleepMax;           // maximum sleep time between C2 polls
  wchar_t wsC2Url_1[260];   // C2 URL (up to three)
  wchar_t wsC2Url_2[260];
  wchar_t wsC2Url_3[260];
  wchar_t wsProxy[260];     // optional proxy address
  char    sProxyUserName[128];
  char    sProxyPassword[128];
  wchar_t wsUserAgent[260]; // configurable HTTP user-agent string
};

C2 Communication

Each C2 message is wrapped in an AES-GCM envelope keyed off a per-message SplitMix64 seed; the seed, the authentication tag and the ciphertext travel together as a single binary blob:

struct C2Message {
    uint64_t       aes_seed;          // SplitMix64 seed for AES key and nonce
    unsigned char  aes_tag[16];       // AES authentication tag
    unsigned char  ciphertext[];      // AES-GCM encrypted data
};

RemotePELoader POSTs the envelope to one of its C2 URLs over HTTPS. The initial check-in carries an at_check=true cookie; the server replies with an ai_session identifier that the loader carries on every subsequent request. Identity and host-information are exfiltrated via the cookie surface itself — Microsoft-themed names make the traffic look like Office / Azure telemetry:

When the operator decides to deliver the next stage, the server response carries the next-stage PE inside an odata.metadata JSON key — another Microsoft-shaped envelope that blends into normal OData traffic:

RemotePE: Final-Stage, In-Memory RAT

RemotePE is the actual RAT — mapped reflectively by RemotePELoader, never written to disk. Internally it is structured around a small object hierarchy: IChannelController owns the network channel, IMiddleController dispatches incoming command batches to per-class handlers, and individual IConfigProfile / IConsole / IFileExplorer / IProcess / ITimer / IPing objects implement the actual operator commands. The class names themselves leak through the RTTI metadata and are what Fox-IT’s YARA rules anchor on.

Control Flow

RemotePE supports both polling and an out-of-band wake mechanism: it listens on a named Windows event (554D5C1F-AABE-49E4-AB57-994D22ECED28) so that another process on the same host can signal it to drop its sleep timer and beacon immediately. Command output is MSZIP-compressed via cabinet.dll before being sent back. File deletes go through a 7-pass secure-overwrite routine (constant-byte fill, rename, then unlink) that is byte-for-byte similar to the deletion routine seen in POOLRAT, one of the previously documented Lazarus families.

Commands

C2 Protocol

Commands are batched. Each request carries a 16-bit command count followed by an array of variable-length C2Command records, each tagged with the class/function tuple plus a request_id used to match responses:

struct C2Command {
    uint32_t       payload_size;
    uint16_t       class_id;        // class ID from the commands table
    uint16_t       function_id;     // function ID from the commands table
    uint32_t       request_id;      // used to match responses
    unsigned char  payload[];       // variable length, payload_size bytes
};

struct C2CommandBatch {
    uint16_t       command_count;
    C2Command      commands[];      // variable length, command_count entries
};

Responses mirror the same layout: a batch header, per-command response records each carrying a status code, the original request_id and an MSZIP-compressed output buffer:

struct C2CommandResponse {
    uint32_t       response_size;
    uint32_t       error;           // error code, if any
    uint32_t       request_id;      // used to respond to a C2Command request
    unsigned char  payload[];       // variable length, MSZIP-compressed, response_size bytes
};

struct C2CommandResponseBatch {
    uint16_t            command_count;
    C2CommandResponse   commands[]; // variable length, command_count entries
};

The response batch is wrapped in the same AES-GCM envelope as the request, base64-encoded, and shipped back in an armAuthorization JSON key on the HTTP response. Again, the field name is chosen to blend with legitimate Azure-style telemetry:

Fox-IT publishes a Python decryption helper as a public Gist — given a captured envelope and the SplitMix64 seed, it produces a readable response batch:

Retrieved Samples

Infrastructure — Actor-in-the-Loop Delivery

Fox-IT recorded six RemotePELoader check-in sessions across the campaign. The delta between the check-in and the operator returning a RemotePE payload ranges from instant to almost a full day — but converted to Korean Standard Time (UTC+9), every payload return falls inside normal business hours, strongly consistent with a DPRK-operated dispatch desk:

C2 hostnames are themed around Microsoft / Azure / Akamai / Intel cloud-services and are hosted on Namecheap shared hosting, which makes IP-based blocking ineffective — legitimate domains live on the same address space. The campaign overlaps in tradecraft with Lazarus sub-clusters tracked as Citrine Sleet (Microsoft), UNC4736 (Google / Mandiant) and Gleaming Pisces (Unit 42), and with AppleJeus operations targeting cryptocurrency users.

Conclusion (Fox-IT)

RemotePE represents a maturation of the Lazarus toolkit: an in-memory RAT layered behind a victim-bound DPAPI key and an operator-in-the-loop delivery model, where the high-value third stage is only ever sent to confirmed targets and never sits on disk. The chain frustrates traditional sandbox analysis (you cannot detonate a sample lifted from a victim), defeats memory-only static IOCs (RemotePE has no on-disk fingerprint), and blends into Microsoft / Azure-themed traffic on shared hosting. Defenders need to anchor on the parts that do live on disk — DPAPILoader and the encrypted config — and on telemetry that survives ETW patching, such as kernel-mode auditing and network metadata.

Indicators of Compromise

Domains

Host-Based Indicators

Samples

YARA Rules

rule Lazarus_DPAPILoader_Hunting {
  meta:
    description = "Hunting rule to detect DPAPILoader, a loader used to load RemotePE."
    author      = "Fox-IT / NCC Group"

  strings:
    $msg_1 = "[!] Could not allocate memory at the desired base!n"
    $msg_2 = "[!] Virtual section size is out ouf bounds: "
    $msg_3 = "[!] Invalid relocDir pointern"
    $msg_4 = "[-] Not supported relocations format at %d: %dn"
    $msg_5 = "[!] Cannot fill imports into 32 bit PE via 64 bit loader!n"

  condition:
    any of them and pe.imports("Crypt32.dll", "CryptUnprotectData")
}

rule Lazarus_RemotePE_C2_strings {
  meta:
    description = "RemotePE strings used for C2."
    author      = "Fox-IT / NCC Group"

  strings:
    $a = "MicrosoftApplicationsTelemetryDeviceId" wide ascii xor
    $b = "armAuthorization" wide ascii xor
    $c = "ai_session" wide ascii xor

  condition:
    uint16(0) == 0x5A4D and all of them
}

rule Lazarus_RemotePE_class_strings {
  meta:
    description = "RemotePE class strings."
    author      = "Fox-IT / NCC Group"

  strings:
    $a = "IMiddleController"  ascii wide xor
    $b = "IChannelController" ascii wide xor
    $c = "IConfigProfile"     ascii wide xor
    $d = "IKernelModule"      ascii wide xor

  condition:
    all of them
}

rule Lazarus_RemotePE_DPAPI_Encrypted_config {
  meta:
    description = "Detects RemotePE DPAPI-encrypted config on disk"
    author      = "Fox-IT Security Research Team"
  condition:
    filesize == 3094
    and uint32(0)    == 0x00000001   // DPAPI blob version = 1
    and uint32(0x8E) == 0x00000B40   // dwDataLen = 0xB40 (padded config)
}

Key Takeaways

• Three-stage chain isolates the high-value payload. DPAPILoader + RemotePELoader are the only on-disk components; RemotePE itself is only ever returned by the operator on demand and lives entirely in memory. Sandbox detonation of either disk-resident stage in isolation does not yield RemotePE.
• DPAPI binds the chain to the victim machine. The first-stage decryption key is the victim’s DPAPI master key — a textbook environmental-keying primitive (MITRE T1480.001). Without offline DPAPI key recovery, lab triage is impossible.
• RemotePELoader is built specifically to defeat userland EDR. HellsGate-style direct syscalls bypass ntdll hooks, KnownDlls remapping unhooks the rest of ntdll, and a 5-byte xor rax,rax / ret stub neuters EtwEventWrite. Detection has to anchor on kernel-side telemetry.
• The C2 protocol is well-engineered. AES-GCM per message, SplitMix64-derived keys, MSZIP-compressed responses, batched commands with per-command request IDs, and Microsoft-themed cookie / JSON-key surface (MicrosoftApplicationsTelemetryDeviceId, ai_session, armAuthorization, odata.metadata) that blends into legitimate Office / Azure traffic.
• Operator-in-the-loop on Korean business hours. Across six observed C2 sessions, payload return latency varies from instant to ~20 hours, but every return falls inside KST 08:00–18:00 — strong behavioural attribution to a DPRK-operated dispatcher.
• Reused tradecraft links RemotePE to the broader Lazarus tool family. The 7-pass secure-delete is shared with POOLRAT; the campaign overlaps with Citrine Sleet, UNC4736 / 3CX, Gleaming Pisces and AppleJeus operations. RemotePE replaces previously documented ThemeForestRAT / PondRAT lineage.
• Namecheap shared hosting kills IP-blocklisting as a control. The C2 domains are themed around Azure / Akamai / Intel cloud naming and share infrastructure with legitimate tenants — blocking IPs nukes legitimate traffic too. Block at the FQDN / TLS-SNI / certificate level instead.

Defensive Recommendations

• Hunt for DPAPILoader masquerading patterns. Alert on any HKLMSYSTEMCurrentControlSetServicesIas service that points to a ServiceDll whose hash does not match the genuine Microsoft IAS DLL; same logic for sspicli.dll and wmiclnt.dll sideload targets. Use the Fox-IT Lazarus_DPAPILoader_Hunting YARA rule against your EDR / VT retro-hunt corpus.
• Watch the DeviceMetadataStoreen-US path. The encrypted payload and config blobs live in C:ProgramDataMicrosoftWindowsDeviceMetadataStoreen-US*.*. Any new file matching that mask with the size / DPAPI-version signature anchored in Lazarus_RemotePE_DPAPI_Encrypted_config deserves a hard look.
• Detect ETW-patching at runtime. The two-byte stub (48 33 c0 c3) installed at EtwEventWrite is fingerprintable from kernel callbacks (PspCreateProcessNotifyRoutine, image-load callbacks) and from periodic integrity scans of executable pages in trusted system DLLs. Any non-Microsoft writer to those pages is the alert.
• Treat KnownDlls remapping as suspicious. Legitimate code almost never opens KnownDllsntdll.dll directly and maps it as private-RW. EDR vendors with kernel callbacks should flag any user-mode NtOpenSection against KnownDlls from a process that is not csrss.exe / smss.exe.
• FQDN-block the IOC domains and look for cookie-fingerprint hits. Apply the seven domains from the IOC table at DNS-level. In TLS-inspected environments, alert on cookies whose names match MicrosoftApplicationsTelemetryDeviceId + MS0 together — that combination is highly specific to RemotePELoader.
• Capture and decrypt suspected C2 traffic with the Fox-IT helper. Where you have lawful access to packet captures or proxy logs that include the AES envelope, run the published Python helper (gist.github.com/fox-srt/6f838d0b574b095d578b2beed7dc2a24) to recover plaintext commands and command output.
• Recover and triage with Dissect. For any DPAPI-encrypted artefact pulled off a victim host, use Dissect (Fox-IT’s open-source forensic framework) with the harvested master keys to recover the loader and config offline; this is the only practical path to a clean reverse-engineering sample because of the environmental keying.
• Block the out-of-band wake event. The named Windows event 554D5C1F-AABE-49E4-AB57-994D22ECED28 is RemotePE-specific. Alert on any kernel-visible event creation matching that GUID; nothing legitimate should signal it.

Conclusion

RemotePE is a clean illustration of where Lazarus tradecraft has landed in 2026: the high-value payload is in-memory and operator-gated, the disk-resident stages are environmentally keyed, the network plane is Microsoft-themed and AES-GCM-encrypted, and the evasion stack is tuned specifically against userland EDR. Defenders cannot rely on sample lifting and detonation alone; the workable detection path runs through (1) hunting the masqueraded DPAPILoader services, (2) catching the ETW / KnownDlls tampering at runtime from kernel telemetry, and (3) anchoring network controls at the FQDN and cookie-fingerprint layer rather than at the IP layer, where Namecheap shared hosting wins. Pair the IOC and YARA set from the Fox-IT write-up with the Dissect-based offline DPAPI workflow and you have a workable response playbook.

References

• Original write-up — Yun Zheng Hu & Mick Koomen, Fox-IT (NCC Group): RemotePE: The Lazarus RAT that lives in memory
• Fox-IT companion piece: Three Lazarus RATs coming for your cheese
• Kaspersky — Operation AppleJeus
• Microsoft — Citrine Sleet exploiting Chromium zero-day
• Google / Mandiant — 3CX software supply-chain compromise (UNC4736)
• Palo Alto Unit 42 — North Korean threat groups 2024 (Gleaming Pisces)
• Dissect framework — docs.dissect.tools
• Decryption helper — gist.github.com/fox-srt/6f838d0b574b095d578b2beed7dc2a24
• MITRE ATT&CK — T1480.001 Environmental Keying

Full credit for the vulnerability research, reverse-engineering, IOC set, YARA rules and screenshots goes to Yun Zheng Hu and Mick Koomen at Fox-IT (NCC Group). Read the original at blog.fox-it.com.