Rupert Marais is a leading security specialist who has spent years perfecting defense strategies for endpoint and device security. With a deep focus on network management and the evolving tactics of advanced persistent threats, he provides a critical perspective on how modern attackers bypass traditional perimeters. In this conversation, we explore the rise of stealthy, memory-only malware that targets high-value financial institutions. We delve into the psychological manipulation used in social engineering, the multi-stage loading processes that utilize legitimate Windows APIs to hide malicious intent, and the sophisticated evasion techniques designed to blind even the most advanced monitoring systems.
How are attackers evolving their initial contact strategies to bypass the skepticism of highly trained professionals in the financial and crypto sectors?
The shift we are seeing is a move away from generic, bulk email phishing toward highly personalized, “actor-in-the-loop” social engineering. Attackers are now approaching victims on messaging apps like Telegram, often posing as a trusted colleague from a known trading company to establish a sense of professional rapport. They use this trust to schedule meetings using fake Calendly or Picktime domains, which look perfectly legitimate to a busy employee. It is a gut-wrenching experience for a target to realize that a simple, routine action like clicking a calendar link actually launched a multi-stage infection chain. By exploiting the human element through these familiar platforms, the attackers can bypass the technical defenses that usually filter out suspicious external communications.
Once that initial malicious link is clicked, what does the internal movement of the malware look like, and how does it maintain such a low forensic footprint?
The intrusion follows a very deliberate three-stage sequence designed to keep the most dangerous components away from the hard drive. It begins with the DPAPILoader, which uses the Windows Data Protection API to decrypt a payload that has been hiding on the disk. This then launches the RemotePELoader, which reaches out to a remote server at aes-secure[.]net to fetch the core module of the attack. The final stage, the RemotePE RAT, is executed entirely in memory and is never written to the disk, meaning there are no filesystem artifacts for a typical scanner to find. The earliest signs of this specific loader date back to November 2023, showing just how long these actors can remain hidden while refining their silent approach.
What specific techniques are these actors using to ensure they stay invisible to modern detection systems?
This toolset is purpose-built for long-term observation, utilizing advanced evasion techniques like Hell’s Gate and patching Event Tracing for Windows, also known as ETW. By patching ETW, the malware essentially blinds the operating system, preventing it from logging the very activities that would tip off a security team. The RemotePE RAT itself is written in C++ and continuously polls its command-and-control server for one of six categories of instructions. These commands allow the attacker to modify configurations, manage files, or even kill running processes by their ID, all while the system’s primary defenses remain completely unaware of the breach. It creates a terrifying environment where an adversary has total control over a device, yet the security dashboard shows everything is normal.
There is a very specific behavior mentioned regarding how the malware deletes files—what does that tell us about the attacker’s intent and technical history?
The way this malware handles file deletion is a clear signature of a highly disciplined and paranoid actor. Instead of a simple delete command, it overwrites each file with constant bytes seven times, then renames the file before finally deleting it from the system. This pattern is a forensic countermeasure designed to ensure that data can never be recovered, and we have seen this exact behavior before in other malware families like PondRAT and POOLRAT. These similarities suggest a shared lineage or a common set of development standards within the Lazarus subgroup. It indicates that the objective isn’t just a quick financial heist, but a sustained, stealthy presence where covering one’s tracks is just as important as the theft itself.
What is your forecast for the future of security in the cryptocurrency and decentralized finance space given these highly specialized toolsets?
I believe we are entering a period where the detection of “fileless” threats will become the primary challenge for the DeFi and financial sectors. Since samples of RemotePE and its loaders did not even appear on VirusTotal prior to these recent reports, it is clear that these groups are reserving their best tools for high-value targets. The fact that the RAT was under active development between mid-2023 and mid-2024, with the first version compiled on July 4, 2023, shows a relentless pace of innovation. We should expect to see more attacks that reside purely in memory and use “environmental keying” to ensure the malware only runs on the specific intended target. For organizations, this means that traditional antivirus is no longer enough; the future of defense lies in behavioral hunting and constant monitoring of volatile memory.
