RemotePE: The Lazarus RAT that lives in memory

A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.

Pulse ID: 6a1447f25db6bc082d5093cb
Pulse Link: https://otx.alienvault.com/pulse/6a1447f25db6bc082d5093cb
Pulse Author: AlienVault
Created: 2026-05-25 13:00:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #Edge #InfoSec #Korea #Lazarus #Malware #Namecheap #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #cryptocurrency #AlienVault

GraphWorm Malware Abuses Microsoft OneDrive for Stealthy C2 Operations

GraphWorm is a backdoor by Webworm (China-aligned APT) that routes all C2 traffic through Microsoft OneDrive via the Graph API, disguising malicious activity as normal cloud usage. Targets include government entities.

Pulse ID: 6a10c410ad801eb12ab1360a
Pulse Link: https://otx.alienvault.com/pulse/6a10c410ad801eb12ab1360a
Pulse Author: cryptocti
Created: 2026-05-22 21:01:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #China #Cloud #CyberSecurity #EDR #Government #InfoSec #Malware #Microsoft #OTX #OpenThreatExchange #RAT #Worm #bot #cryptocti

New IOCs observed from breached threat actor logs:

mavpaprokla[.]lat
smackit[.]lat

Recommend:
• Block/sinkhole at DNS and proxy layers
• Hunt across DNS, HTTP/S, EDR, and firewall telemetry
• Check for historical resolutions and outbound connections
• Review related infrastructure, certificates, and passive DNS pivots

If seen in your environment, treat as potentially malicious pending further enrichment.

#ThreatIntel #IOC #IOCs #CyberThreatIntelligence #DFIR #BlueTeam #SOC #ThreatHunting #Malware #Infosec #CyberSecurity #OSINT #DetectionEngineering #IncidentResponse #CTI #NetworkSecurity #DNS #ThreatResearch #CyberDefense #SIEM #EDR #MalwareAnalysis

New Stealthy Vidar Stealer Campaign Bypass EDR and Steal Credentials

Pulse ID: 6a0952a57e16da067219eda8
Pulse Link: https://otx.alienvault.com/pulse/6a0952a57e16da067219eda8
Pulse Author: cryptocti
Created: 2026-05-17 05:31:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #InfoSec #OTX #OpenThreatExchange #Vidar #bot #cryptocti

GCP×コンテナEDR×再販GCP：SCC＋SecOps の使い分けで踏んだ3つの罠
https://qiita.com/hirashima-gmoconnect/items/a5b8baecf0ac85047564?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #Security #Scc #GoogleCloud #EDR #Secops

OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

Pulse ID: 6a008382641183db3b20fef5
Pulse Link: https://otx.alienvault.com/pulse/6a008382641183db3b20fef5
Pulse Author: AlienVault
Created: 2026-05-10 13:09:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault