**Fox-IT**, a subsidiary of **NCC Group**, detailed **RemotePE** as part of a multi-stage attack involving two loaders: **DPAPILoader** and **RemotePELoader**. ### Multi-Stage Infection Chain The infection process begins with **DPAPILoader** decrypting and loading **RemotePELoader** from disk, utilizing the **Windows Data Protection API (DPAPI)**. According to researchers Yun Zheng Hu and Mick Koomen, "**DPAPILoader** decrypts and loads **RemotePELoader** from disk using the Windows Data Protection API ([DPAPI](https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection)). **RemotePELoader** beacons to a C2 server and waits until it receives the next stage: **RemotePE**, a RAT executed entirely in memory and never written to disk, leaving no filesystem artifacts." **RemotePE** was initially identified in September 2025 during an attack on a decentralized finance (DeFi) organization, resulting in the deployment of **PondRAT**, **ThemeForestRAT**, and **RemotePE**. ### Initial Compromise and Loader Functionality The intrusion starts with social engineering, where an attacker, posing as a trading company employee on **Telegram**, compromises an employee's device using fake **Calendly** and **Picktime** domains. The **RemotePE** infection sequence comprises three stages, with the **DPAPILoader** DLL ("Iassvc.dll") decrypting and loading an encrypted payload from disk via **DPAPI**. The earliest **DPAPILoader** artifact dates back to November 2023. The decrypted payload, **RemotePELoader**, connects to a remote server ("aes-secure[.]net") over HTTP to retrieve the core module. Before execution, it employs evasion techniques like [Hell's Gate](https://redops.at/en/blog/exploring-hells-gate) and patches **Event Tracing for Windows (ETW)** to avoid detection.  ### RemotePE RAT Capabilities The final stage involves the **RemotePE** remote access trojan, written in C++, which polls a command-and-control (C2) server for instructions. The malware supports six command categories: * Obtain or modify the C2 configuration * Manage directories and DLL modules * Perform file operations * Manage processes * Control malware execution (sleep or exit) * Ping the server Notably, the file deletion command overwrites files with constant bytes seven times before renaming and deleting them, a tactic also seen in **PondRAT** and **POOLRAT** (aka **SIMPLESEA**). **PondRAT** is considered a lighter version of **POOLRAT**. ### Development Timeline and Strategic Implications **Fox-IT** obtained four **RemotePE** samples, indicating active development between mid-2023 and mid-2024, with the earliest compilation timestamp of July 4, 2023. Researchers stated, "The toolset's environmental keying, memory-only execution, EDR evasion, and low forensic footprint suggest it is purpose-built for long-term observation campaigns... This allows the actor to quietly maintain access over an extended period before moving to a high-impact final objective such as data theft or a large-scale financial heist, consistent with this actor's known history." They added, "The actor-in-the-loop delivery model and the toolset's low detection rate (neither **RemotePELoader** nor **RemotePE** appeared on **VirusTotal** prior to this publication) suggest this toolset may be reserved for high-value targets where long-term, stealthy access is the objective, consistent with this **Lazarus** subgroup's known focus on financial and cryptocurrency organizations."