Jun 9
NEW THREAT INTEL: RemotePE - Lazarus' memory-only RAT, no disk artifacts. 9 detections, 31 IOCs. intel.threadlinqs.com/threat… #ThreatIntel #Lazarus
22
''Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms''
#infosec #pentest #redteam #blueteam
thehackernews.com/2026/05/la…
1
974
مجموعة “Lazarus” تنشر برمجية RemotePE الخبـ.....ـيثة ضد المؤسسات المالية والرقمية
التفاصيل.. url-shortener.me/MTIM
#مركز_الأمن_السيبراني_للابحاث_والدراسات
6
May 31
📌 سلسلة الهجمات السيبرانية تستهدف أنظمة Ghost CMS و npm و PyPI و Crates.io عبر برمجيات خبيثة متقدمة
تم استغلال ثغرة CVE-2026-26980 في أنظمة Ghost CMS، مما أدى إلى وقوع هجمات ClickFix. وفي الوقت نفسه، تم اكتشاف هجوم سلسلة توريد يسمى TrapDoor Crypto Stealer، والذي استهدف 34 حزمة وعدة مئات من الإصدارات عبر منصات npm و PyPI و Crates.io. كما تم رصد نشاط RAT يسمى RemotePE، والذي يرتبط بجماعة Lazarus.
يُنصح بـ تحديث أنظمة Ghost CMS وفحص الحزم المشتركة على منصات npm و PyPI و Crates.io للتأكد من عدم وجود البرمجيات الخبيثة.
🔗 للمزيد: securityaffairs.com/?p=19292…
4
589
May 29
#Lazarus-linked actors are targeting financial institutions and #cryptocurrency organizations with a stealthy #malware chain built around DPAPILoader and the memory-resident RemotePE RAT. PolySwarm analyzed related samples, infrastructure, and TTPs:
blog.polyswarm.io/lazarus-ex…
1
6
16
1,028
May 29
In April, crypto lost $651M to hacks. 88% of it went to North Korea's Lazarus Group.
May is structured very differently. Here's the picture from May 1 through today, May 29.
Direct on-chain losses are way down. But the attack surface moved upstream, into the dev tools, the AI agents, and the supply chain that every protocol you use depends on.
⚠️ READ THIS PART FIRST (if you only have 30 seconds):
1. Lazarus did not run a single major drain in May. That's not because they stopped. Fox-IT's May 22 RemotePE disclosure says they've been sitting inside crypto firms quietly since 2023.
2. The biggest May threats didn't touch a smart contract. Mini Shai-Hulud (May 11) and TrapDoor (May 22) went after the dev tools that build the protocols you use. One worm hit 172 packages with 518M weekly downloads. OpenAI confirmed two employee devices got owned.
3. AI agents started moving money in response to attackers. The Grok/Bankrbot incident on May 4 was the first time (as discovered) a chat AI auto-executed a crypto transfer because a stranger hid an instruction in Morse code. Permission chains are now an attack surface.
4. On May 26, Manuel Aráoz, a former OpenZeppelin co-founder who helped build the most respected smart contract security firm in DeFi, publicly said he now considers all of DeFi unsafe and has advised his own family to exit positions in Aave, MakerDAO, and Compound.
OpenZeppelin issued an official rebuttal. Aave Chan Initiative's Marc Zeller called the post "a moronic thing to say." The industry is split, but the warning landed.
>> WHAT THIS MEANS FOR YOU (share with your friends):
> Long-term holdings → hardware wallet. None of these incidents touched anyone with self-custodied cold storage. Not one.
> Yield farming, LP, lending, staking → keep going if the yield justifies the risk, but treat that portion like a checking account. The protocol's security is the dev pipeline's security, and that pipeline is being actively poisoned.
> Exchanges → still where most retail lives. The May story tells you why. The threats aren't really your wallet. They're the platform's CI/CD and the AI agents wired to it.
> If you click links or DMs from crypto strangers → please don't. Social engineering is doing more damage than smart contract bugs right now. Fake Calendly invites. Fake job interviews. Fake Google ads above the real Uniswap link. ($400K taken on May 25 alone from that last one.)
================================
RECEIPTS (May 1 through May 29):
> May 4: Grok / Bankrbot, ~$175K to $200K. AI prompt-injection via Morse code on X. A maintenance rewrite dropped the hardcoded block on Grok-originated replies. No regression test caught it. First public AI-agent permission-chain abuse to actually move funds. ~80% returned after the community doxxed the attacker.
> May 11: Mini Shai-Hulud (TeamPCP) npm worm. CVE-2026-45321, CVSS 9.6. 400 malicious versions across 172 packages including 42 TanStack libraries, 65 UiPath packages, Mistral AI's PyPI client, OpenSearch JavaScript client, and Guardrails AI. 518M combined weekly downloads. Self-propagating. It steals credentials from one CI pipeline, enumerates every package that maintainer controls, and infects each. Attack chain: poisoned pull_request_target trigger GitHub Actions cache poisoning OIDC token extraction. OpenAI confirmed 2 employee devices hit; code-signing certs rotated.
> May 15: THORChain Asgard vault, $10.7M. Malicious validator node joined the network May 13. Exploited a vulnerability in the GG20 threshold signature scheme. Partial key material leaked incrementally during signing ceremonies until the attacker could reconstruct the full private key. Trading halted ~13 hours. 1 of 6 vaults; user deposits untouched. RUNE dropped 15%.
> May 17: Adshares bridge, $628K. Fake wADS minted on Ethereum, dumped via Uniswap V4 router. Attacker returned 256 ETH (~86%) on May 18.
> May 18: Verus-Ethereum bridge, $11.58M. Same vulnerability class as Wormhole and Nomad. Cryptographic validity is not economic validity. The bridge verified the message envelope but didn't check that input amount on Verus matched payout on Ethereum. Blockaid says ~10 lines of code would have prevented it. Resolved May 22: attacker returned 4,052 ETH (~$8.5M), kept 1,350 ETH (~$2.8M) as a negotiated bounty.
> May 19: Echo Protocol / Curvance, $77M minted on paper, $816K real loss. Don't trust the headline number. Admin key compromise minted 1,000 unbacked eBTC on Monad. Curvance accepted 45 fake eBTC as collateral, attacker borrowed 11.3 WBTC (~$868K), bridged to ETH, sent ~384 ETH to Tornado Cash. Echo regained admin keys and burnt the remaining 955 eBTC.
> May 22: Polymarket, $573K. ZachXBT flagged the breach. A six-year-old internal private key tied to reward payouts was compromised. ZachXBT, Bitcoin_Vietnam, and ChangeNOW_io coordinated to freeze $164K. No user funds touched, no smart contract exploit. The team rotated keys and migrated to KMS-based management.
> May 22: Fox-IT publishes RemotePE deep-dive. Lazarus subgroup's memory-only RAT, active since 2023. Same actor cluster behind April's Drift and KelpDAO. No new drain attached. Yet.
> May 22: TrapDoor supply chain. Socket's public disclosure date. First package detected at 20:20:18 UTC: eth-security-auditor@0.1.0 on PyPI. Phoenix Security's later forensic analysis traces the campaign start to May 19. 34 packages across npm (21), PyPI (7), http://Crates. io (6). Targets Sui, Move, AI devs. XOR-encrypts crypto keystores with the hardcoded Rust key "cargo-build-helper-2026", exfiltrates to GitHub Gists. Average detection time across the campaign: 5 minutes 56 seconds. Unusual move: drops .cursorrules and CLAUDE.md files with zero-width Unicode characters that are invisible to humans but flow into AI coding assistants as instructions, tricking them into running the malicious "security scan."
> May 25: Fake Uniswap Google Ads, $400K . AngelFerno drainer-as-a-service. On-chain analyst b-block surfaced the campaign. Sponsored Google ads ranked above the real Uniswap. Same drainer also hit PancakeSwap, Morpho, Hyperliquid, CoW Swap, and Ledger lookalike domains. Security Alliance counts 356 malicious ad links across the broader 2026 campaign.
> May 26: Anthropic Mythos / Project Glasswing update. Mythos has now detected 23,019 vulnerabilities across Glasswing partner software. 6,202 estimated high or critical. 1,094 confirmed valid high or critical. Only 97 patched. Headline find: WolfSSL cert-forgery CVE-2026-5194 (CVSS 9.1), used widely in IoT, embedded systems, and crypto infrastructure. The defensive AI is finding bugs faster than humans can fix them.
> May 26 (late) / May 27: Manuel Aráoz, former OpenZeppelin co-founder (he left in 2019), posts on X that he now considers all of DeFi unsafe, citing AI coding agents reaching "superhuman" levels at finding smart contract vulnerabilities. Says he has advised friends and family to exit DeFi positions including Aave, MakerDAO, and Compound. OpenZeppelin (current CEO Demian Brener) issues an official statement that Aráoz's views do not represent the firm. Aave Chan Initiative founder Marc Zeller calls the post "a moronic thing to say," noting that less than 10% of DeFi issues in the past year stemmed from the actual codebase. The industry is split. The warning lands either way.
================================
3 patterns that matters more than dollar values:
> The attack surface moved upstream. Mini Shai-Hulud and TrapDoor went after the tools developers use to build the protocols you use. One worm. 172 packages. Billions of downloads. The smart contract was never the failure point.
> AI is now in both stacks.
- Offensive: Grok/Bankrbot is the first AI-agent heist at scale. Lazarus is using AI for social engineering (Zerion, April). TrapDoor explicitly targets AI coding assistants by planting hidden instructions in CLAUDE.md and .cursorrules.
- Defensive: Mythos found 23,019 vulnerabilities in 6 weeks. The bottleneck is now patching speed, not discovery.
> Recovery rates went up. Verus got 75% back. Adshares got 86% back. Echo got ~99% back. Grok/Bankrbot got ~80% back. Polymarket froze ~29% of the drained funds within hours.
Negotiated bounty deals and on-chain rapid-response are quietly becoming the settlement layer for sloppy hacks. Whether that's healthy in the long run is a separate fight.
=====================================
THANK YOU for reading
If you find this post helpful, please share it with someone you care about.
A like, a comment, a repost, a bookmark, any of it helps this kind of work reach the people who need it most.
Digging into blockchain and AI security is my passion because I look around and see so many of us exposed to real threats with very little awareness about them.
I want to change that, one post at a time, starting with the people in my own circle.
Your support keeps me motivated to keep digging. Stay Safe. 🌮
May 2
April Recap: ⚠️April 2026 is the worst month for crypto hacks since March 2022.
It is also the single highest month for number of incidents in crypto history. See below chart.
The receipts:
> ~$651M lost across 29 separate incidents per CertiK > 81% jump in incident count from January 2026's previous high of 16
> Highest dollar loss since March 2022 ($715M), excluding Feb 2025 Bybit
> ~95% of losses concentrated in just two attacks
> ~$18.2M recovered through white hats, negotiations, and protocol responses
The five protocol-level breaches that mattered:
> Apr 1: Drift Protocol, $285M (Lazarus). Pre-signed Solana durable nonces. Real signers tricked into authorizing transactions weeks before execution.
> Apr 13: Hyperbridge, $2.5M (revised from $237K initial). Forged Merkle Mountain Range proofs. 1 billion unbacked bridged DOT minted on Ethereum.
> Apr 16: Rhea Finance, $18.4M. Two days of attack preparation. Oracle manipulation via fake token pool.
> Apr 18: Kelp DAO, $292M (Lazarus). LayerZero 1/1 verifier exploit. RPC poisoning plus DDoS failover. 116,500 rsETH stolen.
> Apr 30: Wasabi Protocol, $4.55M. Deployer wallet compromise. Sole admin role, no multisig, no timelock. Multi-chain drain across Ethereum, Base, Berachain, and Blast.
The Lazarus tally:
> 3 confirmed Lazarus jobs (Drift, Kelp, Zerion)
> Combined: ~$577M = ~89% of all April losses
> TraderTraitor subunit named specifically in the Kelp attribution
> Zerion was the first confirmed AI-driven social engineering breach
The pattern that should scare every DeFi user:
> Smart contract bugs were not the failure point in any of the major April incidents
> Every breach above $1M was through admin keys, signers, oracles, bridge infrastructure, or domain hijacks
> The audits caught the smart contract failure modes. Attackers attacked everything else
What this sets up for May:
> Lazarus alone took 89% of April's losses
> AI-assisted social engineering went from theory to documented incident
> The Mythos breach gave a private Discord group access to a frontier model that can autonomously discover zero-days
> Coinbase and Binance are reportedly testing Mythos for defense
The defensive arms race is real now.
But so is the offensive one.
Stay Safe. 🫡
38
2
81
10,704
#ThreatProtection #DPAPILoader and #RemotePE #malware leveraged in recent campaign attributed to #Lazarus #APT, read more about Symantec's protection: broadcom.com/support/securit…
1
4
1,100
May 27
Lazarus Group escalated its financially targeted operations by deploying RemotePE, a memory-only RAT using multi-stage loaders and social engineering to infiltrate trading and DeFi firms worldwide. rescana.com/post/active-expl…
1
6
550
#NorthKorea #Lazarus Group is using a new fileless #malware called RemotePE that runs entirely in memory to target #crypto firms and #banks - they lure victims through fake Calendly links in #Telegram
Lazarus has already stolen $577M this year alone, making up 76% of all global crypto thefts.
#MarketUpdate #StockMarket #trading #USA #stocks #Bullish #bearish #TRUMP $Trump #America #DonaldTrump #rates #GlobalTrade #altcoin #altcoins #altseason #coin #coins #token #cryptocurrency #UnitedStates #US #SCAM
2
5
11
138
RAT本体がメモリ上でしか動かず、ディスクに残る構成要素もDPAPI暗号化で外部からの解析を阻む多段マルウェアをLazarusが金融・暗号資産組織への攻撃に使っていたことが報告されています。「RemotePE」と呼ばれるこのRATは3段構成のマルウェアチェーンの最後に位置し、C2サーバーから取得されたあとメモリ上でのみ動作するためディスクに痕跡を残しません。一方、ディスク上に保存された次段のローダーや設定ファイルはWindowsのDPAPI(データ保護API)で暗号化されており、復号鍵が被害端末のユーザーアカウントに紐付くため、サンプルを外部に持ち出しても鍵がなければ復号も静的解析もできない仕組みです。
【要点の整理】
・NCC Group傘下のFox-ITが複数のインシデント対応を通じて得た知見として公開。初段のDPAPILoaderが次段のRemotePELoaderをDPAPIで復号してメモリに読み込み、RemotePELoaderがC2からRAT本体を取得してメモリ上に展開する3段構成。初段DPAPILoaderは正規のWindowsサービス名に酷似したDLL名で偽装され、システム起動時に自動実行される
・RemotePELoaderはEDRの監視を2段階で回避する。まずWindowsのシステムコールを直接呼び出す手法(Hell's Gate)でセキュリティ製品の監視フックを解除し、次にETW(Windowsのイベント追跡機構)をパッチして当該プロセスからのイベント生成を抑止
・C2からのRAT本体の配信は即時自動ではなく、オペレーターが介在して配信を判断するモデルが示唆されている。Fox-ITがC2プロトコルを再現して接続した6回の成功セッションでは、配信時刻がいずれもKST(UTC 9)の日中帯に集中していたとのこと
・ファイル削除コマンドは定数バイトで7回上書きしたうえでリネームしてから削除する。多段上書きとリネームを組み合わせるパターンは同サブグループのPondRAT・POOLRATにも類似の挙動が報告されている
・公開時点でRemotePELoader・RemotePEはVirusTotalに未登録。取得4検体のコンパイル日時は2023年7月〜2024年5月にまたがり、約10ヶ月にわたる継続的な開発が行われていた
初期接触がTelegram経由のソーシャルエンジニアリングで行われ、偽のCalendly・Picktimeドメインが使われたとのこと。ディスクフォレンジックだけではRemotePE本体を検出できないため、DPAPIで暗号化された不審なファイルが想定外のディレクトリに存在しないかの確認が推奨されています。
詳細は以下を参照:
blog.fox-it.com/2026/05/22/r…
1
13
1,014
RemotePE: The Lazarus RAT that lives in memory
Fox-SRT Blog
blog.fox-it.com/2026/05/22/r…
@foxit
1
9
28
1,815
May 26
North Korean 🇰🇵 Lazarus APT deploys RemotePE, a fileless RAT that runs entirely in memory using DPAPI encryption keying. Fox-IT analysis shows active development from 2023-2024 with manual C2 operator approval during KST hours.
#DFIR_Radar
1
2
9
443
May 26
⚠️ Lazarus keeps RemotePE off the filesystem
#RemotePE runs entirely in memory after DPAPILoader and RemotePELoader, leaving no disk artifact while targeting finance and #crypto firms.
🔗 read more: thehackernews.com/2026/05/la…
#ransomNews #cybersecurity
2
6
617
Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms reconbee.com/lazarus-deploys…
#lazarus #RemotePE #RAT #financial #crypto #cybersecurity #cyberattack
2
41
【Lazarus、偽会議リンクからRemotePEを投入か】
The Hacker Newsは、北朝鮮関連Lazarusが金融・暗号資産組織にRemotePEを投入していたと報じた。攻撃はTelegramで既存社員を装う接触、偽Calendlyや偽Picktimeドメインを使った会議誘導から始まったとされる。
RemotePEはメモリ上で動作するRATで、ファイル操作、プロセス操作、C2設定変更、DLLモジュール登録などに対応する。単なるマルウェア感染ではなく、オペレーターが高価値標的を選んで次段階を配信するactor-in-the-loop型の運用が示唆される。
金融、DeFi、Web3、暗号資産関連企業は、会議招待・採用接触・開発者端末の監視を強化すべき局面。
#Lazarus #DPRK #RemotePE #DeFi #Web3Security #暗号資産 #ソーシャルエンジニアリング
thehackernews.com/2026/05/la…
1
2
282
May 25
Memory-only malware like RemotePE targets wallets, but on-chain drainers and fake tokens thrive too. Elephant Guard checks live chain evidence at scan time, flags contract risks, and delivers a clear verdict—paste a token for a free first scan. #WalletSafety #TokenRisk
7
13
247
🚩 Lazarus Deploys Memory-Only RAT Against Financial and Crypto Firms
thehackernews.com/2026/05/la…
Lazarus is using a cross-platform malware called RemotePE against financial and crypto organizations.
The chain starts with DPAPILoader, moves through RemotePELoader, then delivers RemotePE, a RAT that runs entirely in memory, which means fewer filesystem artifacts and a smaller forensic footprint.
The campaign also uses social engineering, fake scheduling domains, C2 polling, EDR evasion, and file deletion routines seen in other Lazarus-linked malware.
#ThreatIntelligence #Lazarus #Crypto #CyberSecurity
4
7
663
May 25
Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms thehackernews.com/2026/05/la…
2
8
1,442