thehackernews.com web signal

Lazarus Group steals $577M via fileless RAM malware

cybersecurity cybersecurity malware cryptocurrency nation-state

Key insights

  • Lazarus Group's RemotePE RAT runs entirely in RAM, leaving no disk artifacts to aid forensic investigation or endpoint detection.
  • North Korea stole $577M in cryptocurrency in just the first four months of 2026, per TRM Labs research.
  • Lazarus Group accounts for 76% of all global crypto theft recorded in 2026 so far, representing a concentration of state-sponsored theft.

Why this matters

Memory-only malware that bypasses disk-based detection invalidates a significant portion of standard endpoint security tooling, forcing firms to invest in behavioral and in-memory forensics that most organizations have not deployed at scale. The 76% concentration figure means that a single nation-state actor is now the dominant threat to the entire global crypto custody and financial infrastructure ecosystem, which should reshape how crypto firms model their threat landscape and insurance exposure. For founders building fintech or crypto products, the Telegram-based social engineering vector targeting scheduling tools means that standard SaaS supply chain reviews and employee impersonation training are now load-bearing security controls, not optional hygiene.

Summary

North Korea's Lazarus Group is running a fileless attack campaign against financial and cryptocurrency firms using RemotePE, a remote access trojan that executes entirely in RAM and leaves no trace on disk. The entry point is social engineering via Telegram, where attackers impersonate company employees using fake Calendly and Picktime scheduling domains. Once a target engages, a multi-stage loader chain kicks off: DPAPILoader fetches RemotePELoader, which then pulls the RemotePE payload from a command-and-control server at runtime, never writing anything to disk. Essentially: (Lazarus Group, TRM Labs) -- North Korea has turned memory-only malware into a scaled crypto-theft operation. - RemotePE leaves no disk artifacts, making forensic detection and incident response significantly harder for targeted firms. - Lazarus stole $577M in cryptocurrency in the first four months of 2026 alone, per TRM Labs. - That figure represents 76% of all global crypto theft tracked in that period. The $577M number reframes this from a targeted espionage campaign into what is effectively a state-run revenue operation funding North Korea's sanctioned economy.

Potential risks and opportunities

Risks

  • Crypto exchanges and custodians using Telegram for business development or hiring communications face immediate exposure if employees have not been briefed on the fake scheduling-domain vector.
  • Endpoint detection vendors (CrowdStrike, SentinelOne) whose products rely on disk-write telemetry face customer pressure and potential churn if RemotePE variants proliferate beyond this campaign in Q2-Q3 2026.
  • DeFi protocols and smaller crypto firms without dedicated threat intelligence functions are likely already targeted and unaware, given Lazarus's historical pattern of staging multiple simultaneous intrusions before activating payloads.

Opportunities

  • In-memory threat detection vendors (Huntress, Intezer, Morphisec) gain a clear sales narrative to crypto and fintech security teams that are now explicitly aware their disk-based tools are insufficient.
  • Crypto-focused cyber insurers (Coincover, Evertas) can reprice coverage for firms lacking behavioral EDR and memory forensics capabilities, while firms with those controls gain a pricing advantage.
  • Identity and communications security vendors (Abnormal Security, SlashNext) targeting Telegram and calendar-phishing vectors have a named, active nation-state campaign to anchor their pipeline conversations with financial services prospects.

What we don't know yet

  • Whether any of the $577M stolen in 2026 has been successfully traced, frozen, or recovered through on-chain analytics as of May 2026.
  • Which specific financial firms or crypto exchanges were targeted in this RemotePE campaign -- no named victims have appeared in public reporting.
  • Whether the fake Calendly and Picktime domains used in the Telegram phishing have been taken down or are still active infrastructure as of publication.

Originally reported by thehackernews.com

Read the original article →

Original headline: Lazarus Group Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms — North Korea Accounts for 76% of All 2026 Global Crypto Theft