North Korea-linked Lazarus hackers used memory-only RemotePE malware in new cyberattacks targeting developers and companies.
The North Korea-linked Lazarus Group has been linked to a new cyber campaign using memory-only malware known as RemotePE to infiltrate systems and evade traditional security defenses, according to researchers.
Security researchers said the attacks involved Lazarus operators deploying RemotePE malware directly into system memory, allowing the payload to execute without leaving obvious traces on disk. The technique significantly reduces the likelihood of detection by conventional antivirus tools and endpoint monitoring solutions.
According to investigators, the campaign targeted developers, technology firms, and organisations associated with cryptocurrency and blockchain sectors, industries that have repeatedly been targeted by North Korean threat actors seeking financial gain and intelligence collection. Researchers said the malware was distributed through social engineering tactics and trojanized software packages.
The RemotePE malware allows attackers to load and execute Portable Executable (PE) files directly within a system’s memory space without writing malicious files to disk. Analysts said the malware also incorporated anti-analysis techniques, encrypted communications, and stealth-focused execution methods designed to hinder forensic investigations.
Researchers observed overlaps between the latest activity and previous Lazarus operations involving fake job offers, compromised developer tools, malicious npm packages, and trojanized cryptocurrency applications. The hacking group has increasingly targeted software supply chains and developer environments as part of broader espionage and cryptocurrency theft campaigns.
Lazarus, also tracked under names including Hidden Cobra and APT38, has been linked to some of the world’s largest cyber thefts and espionage operations. The group has previously been accused of stealing billions of dollars in cryptocurrency to support North Korea’s sanctioned economy and weapons programs.
Cybersecurity experts warned that memory-only malware techniques are becoming increasingly common among advanced persistent threat groups because they make detection and incident response significantly more difficult. Fileless malware attacks frequently abuse legitimate Windows processes and trusted system tools to blend into normal activity.
Researchers advised organisations to strengthen endpoint monitoring, restrict execution of unsigned code, enforce multi-factor authentication, and closely monitor developer environments and software supply chains for suspicious behavior linked to Lazarus campaigns.
Related articles :
- Lazarus Group Uses Medusa Ransomware in Healthcare Attack
- VECT 2.0 Ransomware Destroys Data Beyond Recovery
- Hackers Use LinkedIn Messages to Spread RAT Malware
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
