{ "id": "34e1c50d-b7ce-4d6b-ace6-7ca40fc48bc9", "created_at": "2026-04-06T00:12:44.2805Z", "updated_at": "2026-04-10T03:38:20.427802Z", "deleted_at": null, "sha1_hash": "53223f41ffe20e9661f9dbd4333f4f46cf210282", "title": "DTrack activity targeting Europe and Latin America", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 197110, "plain_text": "DTrack activity targeting Europe and Latin America\r\nBy Konstantin Zykov\r\nPublished: 2022-11-15 · Archived: 2026-04-05 14:44:53 UTC\r\nIntroduction\r\nDTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three\r\nyears later. It is used by the Lazarus group against a wide variety of targets. For example, we’ve seen it being used\r\nin financial environments where ATMs were breached, in attacks on a nuclear power plant and also in targeted\r\nransomware attacks. Essentially, anywhere the Lazarus group believes they can achieve some financial gain.\r\nDTrack allows criminals to upload, download, start or delete files on the victim host. Among those downloaded\r\nand executed files already spotted in the standard DTrack toolset there is a keylogger, a screenshot maker and a\r\nmodule for gathering victim system information. With a toolset like this, criminals can implement lateral\r\nmovement into the victims’ infrastructure in order to, for example, retrieve compromising information.\r\nAs part of our crimeware reporting service, we published a new private report about recent Dtrack activity. In this\r\npublic article we highlight some of the main findings shared in that report. For more information about our\r\ncrimeware reporting service, please contact crimewareintel@kaspersky.com.\r\nSo, what’s new?\r\nDTrack itself hasn’t changed much over the course of time. Nevertheless, there are some interesting modifications\r\nthat we want to highlight in this blogpost. Dtrack hides itself inside an executable that looks like a legitimate\r\nprogram, and there are several stages of decryption before the malware payload starts.\r\nFirst stage – implanted code\r\nDTrack unpacks the malware in several stages. The second stage is stored inside the malware PE file. To get it,\r\nthere are two approaches:\r\noffset based;\r\nresource based.\r\nThe idea is that DTrack retrieves the payload by reading it from an offset within the file or by reading it from a\r\nresource within the PE binary. An example of a decompiled pseudo function that retrieves the data using the\r\noffset-based approach can be found below.\r\nhttps://securelist.com/dtrack-targeting-europe-latin-america/107798/\r\nPage 1 of 5\n\nExample of DTrack offset-oriented retrieval function\r\nAfter retrieving the location of the next stage and its key, the malware then decrypts the buffer (with a modified\r\nRC4 algorithm) and passes control to it. To figure out the offset of the payload, its size and decryption keys,\r\nDTrack has a special binary (we have dubbed it ‘Decrypt config’) structure hidden in an inconspicuous part of the\r\nPE file.\r\nSecond stage – shellcode\r\nThe second stage payload consists of heavily obfuscated shellcode as can be seen below.\r\nhttps://securelist.com/dtrack-targeting-europe-latin-america/107798/\r\nPage 2 of 5\n\nHeavily obfuscated second stage shellcode\r\nThe encryption method used by the second layer differs for each sample. So far, we have spotted modified\r\nversions of RC4, RC5 and RC6 algorithms. The values of the third stage payload and its decryption key are\r\nobtained by reading Decrypt config again.\r\nOne new aspect of the recent DTrack variants is that the third stage payload is not necessarily the final payload;\r\nthere may be another piece of binary data consisting of a binary configuration and at least one shellcode, which in\r\nturn decrypts and executes the final payload.\r\nThird stage – shellcode and final binary\r\nThe shellcode has some quite interesting obfuscation tricks to make analysis more difficult. When started, the\r\nbeginning of the key (used to decrypt the final payload) is searched for. For example, when the beginning of the\r\nkey is 0xDEADBEEF, the shellcode searches for the first occurrence of 0xDEADBEEF.\r\nhttps://securelist.com/dtrack-targeting-europe-latin-america/107798/\r\nPage 3 of 5\n\nChunk decryption routine example\r\nOnce the key is found, the shellcode uses it to decrypt the next eight bytes after the key, which form yet another\r\nconfiguration block with final payload size and its entry point offset. The configuration block is followed by an\r\nencrypted PE payload that starts at the entry point offset after decryption with the custom algorithm.\r\nFinal payload\r\nOnce the final payload (a DLL) is decrypted, it is loaded using process hollowing into explorer.exe. In previous\r\nDTrack samples the libraries to be loaded were obfuscated strings. In more recent versions they use API hashing\r\nto load the proper libraries and functions. Another small change is that three C2 servers are used instead of six.\r\nThe rest of the payload’s functionality remains the same.\r\nInfrastructure\r\nWhen we look at the domain names used for C2 servers, a pattern can be seen in some cases. For example, the\r\nactors combine a color with the name of an animal (e.g., pinkgoat, purplebear, salmonrabbit). Some of the peculiar\r\nnames used in the DTrack infrastructure can be found below:\r\nDomain IP First seen ASN\r\npinkgoat.com 64.190.63.111 2022‑03‑03 15:34 AS47846\r\npurewatertokyo.com 58.158.177.102 2022‑05‑20 16:07 AS17506\r\npurplebear.com 52.128.23.153 2021‑01‑08 08:37 AS19324\r\nsalmonrabbit.com 58.158.177.102 2022‑05‑20 09:37 AS17506\r\nVictims\r\nhttps://securelist.com/dtrack-targeting-europe-latin-america/107798/\r\nPage 4 of 5\n\nAccording to KSN telemetry, we have detected DTrack activity in Germany, Brazil, India, Italy, Mexico,\r\nSwitzerland, Saudi Arabia, Turkey and the United States, indicating that DTrack is spreading into more parts of\r\nthe world. The targeted sectors are education, chemical manufacturing, governmental research centers and policy\r\ninstitutes, IT service providers, utility providers and telecommunications.\r\nConclusions\r\nThe DTrack backdoor continues to be used actively by the Lazarus group. Modifications in the way the malware is\r\npacked show that Lazarus still sees DTrack as an important asset. Despite this, Lazarus has not changed the\r\nbackdoor much since 2019, when it was initially discovered. When the victimology is analyzed, it becomes clear\r\nthat operations have expanded to Europe and Latin America, a trend we’re seeing more and more often.\r\nIOCs\r\nC2 domains\r\npinkgoat[.]com\r\npurewatertokyo[.]com\r\npurplebear[.]com\r\nsalmonrabbit[.]com\r\nMD5\r\n1A74C8D8B74CA2411C1D3D22373A6769\r\n67F4DAD1A94ED8A47283C2C0C05A7594\r\nSource: https://securelist.com/dtrack-targeting-europe-latin-america/107798/\r\nhttps://securelist.com/dtrack-targeting-europe-latin-america/107798/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securelist.com/dtrack-targeting-europe-latin-america/107798/" ], "report_names": [ "107798" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434364, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/53223f41ffe20e9661f9dbd4333f4f46cf210282.pdf", "text": "https://archive.orkl.eu/53223f41ffe20e9661f9dbd4333f4f46cf210282.txt", "img": "https://archive.orkl.eu/53223f41ffe20e9661f9dbd4333f4f46cf210282.jpg" } }