Threat Intelligence North Korea’s Lazarus Group uses new RemotePE malware against financial targets May 26, 2026 Share By SC Staff As reported by The Hacker News, a sophisticated cross-platform malware known as RemotePE has been identified as the latest tool in the arsenal of the North Korea-linked Lazarus Group, specifically targeting financial and cryptocurrency organizations. This discovery, made by Fox-IT, part of NCC Group, highlights the group's continued efforts to infiltrate and exploit entities within the digital finance sector. RemotePE is deployed through a multi-stage attack chain involving two loaders, DPAPILoader and RemotePELoader. DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API. RemotePELoader then communicates with a command-and-control (C2) server to receive the final stage: RemotePE. This remote access trojan (RAT) is designed to operate entirely in memory, leaving minimal forensic artifacts on the filesystem. The malware employs evasion techniques like Hell's Gate and patches Event Tracing for Windows (ETW) to avoid detection. RemotePE supports various commands, including C2 configuration management, file operations, process manipulation, and self-management. A notable feature is its file deletion method, which overwrites files multiple times before deletion, a technique also seen in related malware. The Lazarus Group appears to reserve this toolset for high-value targets, aiming for long-term, stealthy access for objectives such as data theft or financial heists, consistent with their known modus operandi. Source: The Hacker News SC Staff Related Threat Intelligence Middle East malicious infrastructure report highlights concentration of C2 servers SC Staff May 22, 2026 The Hunt.io report identified over 1,350 C2 servers across 98 providers in 14 Middle Eastern countries. Saudi Telecom Company (STC) alone accounted for more than 72% of this regional activity, often through compromised customer systems. Threat Intelligence Former executives plead guilty in global tech support fraud scheme SC Staff May 22, 2026 Former CEO Adam Young and former CSO Harrison Gevirtz admitted to a misprision of a felony charge. They operated C.A. Cloud Attribution, Ltd. between early 2017 and April 2022, providing services to customers known to be engaged in telemarketing and tech support fraud scams. Threat Intelligence Dutch authorities arrest two in connection with sanctioned web hosting company SC Staff May 22, 2026 The Dutch financial crime investigators (FIOD) arrested a 57-year-old company director and a 39-year-old who headed a separate firm providing internet connectivity. Related Events Cybercast Better Threat Intelligence Between Public and Private Sectors On-Demand Event Virtual Conference Nationwide Cybersecurity Summit 2025: Safeguarding America’s Digital Future On-Demand Event Virtual Conference Securing the Future of Finance: Strategies to Counter Modern Cyber Threats On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Account Harvesting DNS Spoofing Deauthentication Attack Dictionary Attack Distributed Scans DumpSec Google Hacking Hybrid Attack Password Cracking Reconnaissance You can skip this ad in 5 seconds