Lazarus Ran Fileless. EDR Logged Nothing.
The Memory Implant
Lazarus Group, the DPRK-affiliated cluster whose financial targeting in APAC has been continuous since 2018, deployed a remote access tool this month against licensed banks and cryptocurrency custodians in which the payload never writes to disk. The technique is T1055, process injection: the implant allocates executable memory inside a legitimate Windows host process and executes from there. No file. No registry key. The file-system detection layer your endpoint platform scans has nothing to inspect.
The target profile follows the cluster's established mandate. 4 billion in ETH drained in a single session, to this cluster. Licensed banks with settlement exposure in Southeast Asia and crypto custodians with institutional client assets are the repeat target category. A memory-resident implant inside a trading-floor workstation or a custody signing environment achieves the dwell time needed for pre-positioning before a coordinated wire instruction or a timed exchange withdrawal.
Memory-resident implants do not survive a clean reboot. The FBI advisory on the ByBit breach was filed in February 2025. The re-delivery mechanism, if one exists, is already in the environment.
What the TRM Requires
MAS Technology Risk Management Guidelines, revised in January 2021, list endpoint detection and response as a mandatory control for licensed financial institutions in Singapore. HKMA's Supervisory Policy Manual TM-G-1 carries an equivalent requirement for Hong Kong licensed banks. Both frameworks specify EDR. Neither specifies what detection coverage must include when the payload resides entirely in process memory. A bank that deployed EDR to satisfy MAS TRM has no guarantee it detects in-memory implants.
The annual technology risk attestation a Singapore bank files with MAS does not ask whether memory-scanning is enabled on its EDR deployment, whether memory-event telemetry is forwarded to SIEM, or whether the security operations center holds a playbook for T1055 alerts. exe. Both can be true.
When I was at Mandiant APAC, the consistent pattern at regional bank incidents was EDR deployed and licensed, memory-scanning at vendor default, and the vendor default tuned conservatively for latency-sensitive trading systems. Reliable T1055 detection requires Event Tracing for Windows (ETW) kernel-level telemetry, memory-region allocation baselining, or behavioral analysis of injection patterns. The MAS and HKMA frameworks name none of these. Reliable T1055 detection requires Event Tracing for Windows (ETW) kernel-level telemetry, memory-region allocation baselining, or behavioral analysis of injection patterns. MAS TRM names none of these. HKMA's TM-G-1 names none of these.
MAS TRM was last revised in January 2021. HKMA's Supervisory Policy Manual TM-G-1 carries the same omission. A bank with a clean technology risk attestation filed this quarter may have Lazarus Group code executing in its process tree. The attestation does not ask about memory-scanning. The attestation does not ask about ETW telemetry. What triggers a framework revision is not an internal review cycle. It is an incident report filed with MAS or HKMA naming a licensed institution. That report has not been filed yet.