Every endpoint detection vendor with meaningful APAC FSI market share lists runtime detection of T1055 process injection in its capability matrix. The Lazarus Group campaign against banks and cryptocurrency firms, documented this week by The Hacker News, deploys a memory-only implant engineered to exploit exactly that gap. The payload runs entirely in volatile memory via T1055 process injection and T1620 reflective code loading. Nothing touches disk. No registry key is modified. No artifact survives a reboot that a forensics examiner could hand to a regulator. Lazarus Group carries DPRK attribution extending from the 2016 SWIFT compromise of $81 million from Bangladesh Bank through Operation AppleJeus, which targeted cryptocurrency exchanges across Southeast Asia. The Hacker News reporting does not name which EDR products were deployed at affected institutions when the implant ran.

MAS TRM 2021 and HKMA's Supervisory Policy Manual TM-E-1 both require financial institutions to deploy endpoint protection controls, and neither specifies memory forensics coverage, behavioral baselining against injection signatures, or any audit standard that would surface a memory-resident implant after the fact. The omission is structural. When I was at Mandiant, in-memory implants on APAC bank endpoints were the hardest post-incident gap to close, not because behavioral detection tooling did not exist, but because institutional procurement had locked firms into products not running kernel-level injection monitoring, and the evidence we needed was in RAM that reboots had already cleared. The MITRE ATT&CK Enterprise Evaluations, published annually at attack.mitre.org, distinguish vendors that generate real-time T1055 behavioral detections from those that surface the activity only in retrospective telemetry; for any APAC CISO currently certifying endpoint controls under MAS TRM 2021 to an MAS examiner, the published results are the starting point, not the vendor's capability matrix.