DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ARCHIVE/APT
DMZ INTEL DESK//FILED: 2026-05-26//08:48Z
CRITICAL#apt

Lazarus Group Deploys RemotePE Memory-Only RAT Against Crypto and Financial Firms; $577M Stolen YTD

Fox-IT (NCC Group) researchers Yun Zheng Hu and Mick Koomen disclosed that the North Korea-linked Lazarus Group is actively deploying RemotePE, a fully fileless RAT that executes entirely in memory via a three-stage chain using DPAPILoader, RemotePELoader, and Hell's Gate/ETW-patching techniques — leaving zero filesystem artifacts and evading EDR. Initial access begins with Telegram-based social engineering where operators impersonate trading firm employees and lure targets through fake Calendly and Picktime scheduling domains. Neither RemotePELoader nor RemotePE appeared on VirusTotal prior to publication, suggesting the toolset is reserved for high-value targets; Lazarus has stolen approximately $577M in crypto in the first four months of 2026 alone, accounting for 76% of all global crypto theft.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
lazarus-group · remotepe · fileless-malware · cryptocurrency-theft · dpapi-loader · dprk · gleaming-pisces · fox-it · telegram-lure · defi
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

MORE FROM ARCHIVE

# APT
2026-05-25
Operation Saffron: First VPN Dismantled — 33 Servers Seized, Ukrainian Admin Arrested, User Database Captured Exposing 25+ Ransomware Groups Including Avaddon and Phobos
# APT
2026-05-25
Ghostwriter (UAC-0057 / UNC1151) Deploys Novel OYSTERBLUES Implant Against Ukrainian Government via Prometheus Learning Platform Lures — Active Since Spring 2026
# APT
2026-05-24
Salt Typhoon Expands to 80+ Countries with New TernDoor/PeerTime/BruteEntry Implants; South American Telecoms Now Targeted
# APT
2026-05-24
Ghostwriter/UAC-0057 Resurfaces with OYSTERFRESH/OYSTERBLUES Malware Chain, Abusing Prometheus Learning Platform as Lure Against Ukrainian Government Targets