APT / THREAT GROUP
DPAPILoader
2
aliases
Last seen:Jun 11, 2026
Intelligence Profile
According to Fox-IT, DPAPILoader is a loader implemented as a DLL that decrypts an encrypted payload from disk using DPAPI and then loads it into memory, enabling persistence by starting at boot as a legitimate-appearing service. It uses environment-bound encryption and obfuscation (DPAPI keys tied to the user and a fixed XOR) to tie the payload to the victim and hinder static analysis. The loader then hands off to a second-stage loader, RemotePELoader, as part of a multi-stage chain designed to minimize on-disk artifacts and maximize stealth.
Threat Analysis
DPAPILoader is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
Intelligence Reports Mentioning DPAPILoader
Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms
The Hacker News· May 25, 2026
External References
Quick Facts
TypeAPT / Threat Group
Aliases2
Also Known As
DPAPILoaderwin.dpapi_loader
External Intelligence
Malpedia: win.dpapi_loaderResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.