{ "id": "079ec3b1-f799-492f-a133-7ac55b3111fd", "created_at": "2026-04-06T00:10:54.57024Z", "updated_at": "2026-04-10T03:38:20.097114Z", "deleted_at": null, "sha1_hash": "b2dad72795c1653d0326702e554f5b9c1f977ed8", "title": "Dacls, the Dual platform RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2830212, "plain_text": "Dacls, the Dual platform RAT\r\nBy jinye\r\nPublished: 2019-12-17 · Archived: 2026-04-05 16:30:18 UTC\r\nBackground\r\nOn October 25, 2019, a suspicious ELF file (80c0efb9e129f7f9b05a783df6959812) was flagged by our new threat\r\nmonitoring system. At first glance, it seems to be just another one of the regular botnets, but we soon realized this\r\nis something with potential link to the Lazarus Group.\r\nAt present, the industry has never disclosed the Lazarus Group's attack samples and cases against the Linux\r\nplatform. And our analysis shows that this is a fully functional, covert and RAT program targeting both Windows\r\nand Linux platforms, and the samples share some key characters being used by Lazarus Group.\r\nThe links between Lazarus Group and Dacls RAT\r\nFirst, we searched VT for the hardcoded string c_2910.cls and k_3872.cls in the sample and found 5 more\r\nsamples. We can confirm from their sample and C2 instruction codes that they are the same RAT family, and is\r\nsuitable for Windows and Linux platforms, respectively.\r\nOne of the 5 samples 6de65fc57a4428ad7e262e980a7f6cc7 was pointed to as Lazarus Group by the user\r\nRaeezabdulla of the VirusTotal community, and cited a report \"CES Themed Targeting from Lazarus\". This\r\nsample also has download address of https://thevagabondsatchel.com/wp-content/uploads/2019/03/wm64.avi .\r\nIn October 2019, a sample named NukeSped was tagged by Twitter user @cyberwar_15 as Lazarus Group. And\r\nthat sample file b578ccf307d55d3267f98349e20ecff1 has the download url as\r\nhttp://thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi\r\nA quick google returns many Lazarus Group analysis reports and some open source threat intelligence data, many\r\npointing out that thevagabondsatchel.com was used by Lazarus Group to store samples.\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 1 of 23\n\nTherefore, we speculate that the attacker behind Dacls RAT is Lazarus Group.\r\nCurrently this sample is shown on VirusTotal with 26 pretty generic malware tag from by 26 antivirus vendors\r\nwith no relevant analysis report. Therefore, we think it is necessary to disclose some of its technical detail here.\r\nWe name it Dacls (Win32.Dacls and Linux.Dacls) based on its file name and hard-coded strings.\r\nDacls overview\r\nDacls is a new type of remote-control software targeting both Windows and Linux environment. Its functions are\r\nmodular, the C2 protocol uses TLS and RC4 double-layer encryption, the configuration file uses AES encryption\r\nand supports C2 instruction dynamic update. The Win32.Dacls plug-in module is dynamically loaded through a\r\nremote URL, and the Linux version of the plug-in is compiled directly in the Bot program.\r\nDownloader server\r\nWe found a series of samples on a suspected download server http://www.areac-agr.com/cms/wp-content/uploads/2015/12/ , including Win32.Dacls, Linux.Dacls, the open source program Socat, and working\r\npayload for Confluence CVE-2019-3396. We speculated that the Lazarus Group used the CVE-2019-3396 N-day\r\nvulnerability to spread the Dacls Bot program.\r\nMD5 (check.vm) = a99b7ef095f44cf35453465c64f0c70c //Confluence CVE-2019-3396 Payload\r\nMD5 (hdata.dat) = 982bf527b9fe16205fea606d1beed7fa //Log Collector\r\nMD5 (ldata.dat) = 80c0efb9e129f7f9b05a783df6959812 //Linux Dacls Bot\r\nMD5 (mdata.dat) = 80c0efb9e129f7f9b05a783df6959812 //Linux Dacls Bot\r\nMD5 (r.vm) = a99b7ef095f44cf35453465c64f0c70c //Confluence CVE-2019-3396 Payload\r\nMD5 (rdata.dat) = bea49839390e4f1eb3cb38d0fcaf897e //Windows Dacls Bot\r\nMD5 (sdata.dat) = e883bf5fd22eb6237eb84d80bbcf2ac9 //Open-Source Socat\r\nReverse analysis\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 2 of 23\n\nLog Collector sample\r\nMD5: 982bf527b9fe16205fea606d1beed7fa\r\nELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header\r\nThe function of this sample is simple. It collects the target host information by specifying the parameters of the\r\nlog collecting process. It avoids scanning some specified root and secondary directories, and write the retrieved\r\nfile path to /tmp/hdv.log .\r\nAvoid Scanning Root Directory\r\n/bin\r\n/boot\r\n/dev\r\n/etc\r\n/lib\r\n/lib32\r\n/lib64\r\n/lost+found\r\n/sbin\r\n/sys\r\n/tmp\r\n/proc\r\n/run\r\nAvoid Scanning Secondary Directory\r\n/usr/bin\r\n/usr/etc\r\n/usr/games\r\n/usr/include\r\n/usr/lib\r\n/usr/lib32\r\n/usr/lib64\r\n/usr/libexec\r\n/usr/sbin\r\n/usr/share\r\n/usr/src\r\n/usr/tmp\r\n/var/adm\r\n/var/cache\r\n/var/crash\r\n/var/db\r\n/var/empty\r\n/var/games\r\n/var/gopher\r\n/var/kerberos\r\n/var/lock\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 3 of 23\n\n/var/nis\r\n/var/preserve\r\n/var/run\r\n/var/yp\r\nSample logging format\r\ndeep name type size last date\r\n0 / D 0 000000000000\r\n1 bin D 0 201911290628\r\n2 bash F 1037528 201907121226\r\n2 bunzip2 F 31352 201907040536\r\n2 busybox F 1984584 201903070712\r\n2 bzcat F 31352 201907040536\r\n2 bzcmp F 2140 201907040536\r\n....\r\nWhen all the work is done, it executes the system tar command to compress the log file tar -cvzf /tmp/hdv.rm\r\n/tmp/hdv.log and upload it to the specified log collecting interface.\r\nLinux.Dacls sample\r\nMD5: 80c0efb9e129f7f9b05a783df6959812\r\nELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0,\r\nBuildID[sha1]=e14724498374cb9b80a77b7bfeb1d1bd342ee139, stripped\r\nThe main functions of Linux.Dacls Bot include: command execution, file management, process management, test\r\nnetwork access, C2 connection agent, network scanning module.\r\nInitialization\r\nAfter Linux.Dacls Bot is started, it runs in the daemon mode in the background, and uses the startup parameters\r\n/pro , the Bot PID file, /var/run/init.pid and the Bot process name /proc/\u003cpid\u003e/cmdline to distinguish\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 4 of 23\n\ndifferent operating environments. We suspect that it may be used for Bot program upgrades.\r\nConfiguration file .memcahce\r\nThe Linux.Dacls Bot configuration file is stored at $HOME/.memcache , and the file content is 0x8E20 + 4 bytes. If\r\nBot cannot find the configuration file after startup, it will use AES encryption to generate the default configuration\r\nfile based on the hard-coded information in the sample. After successful Bot communicates with C2, the\r\nconfiguration file will get updated.\r\nData structure\r\nWe define the data structure information of the configuration file as struct_global_cfg, which stores the Bot\r\noperating parameters, C2 information, and plug-in information.\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 5 of 23\n\nstruct struct_plugin_cfg_data\r\n{\r\n int plugin_id;\r\n int plugin_type;\r\n int unk3;\r\n char name[1040];\r\n};\r\nstruct struct_c2_content\r\n{\r\n char content[2048];\r\n};\r\nstruct struct_global_cfg\r\n{\r\n int session_id;\r\n int unk_const1;\r\n int sus_version_20190417;\r\n int connect_retry_sleep_time;\r\n char unk_array1[88];\r\n int c2_num;\r\n struct_c2_content c2_list[3];\r\n char unknown_filed_186C[14340];\r\n struct_plugin_cfg_data plug_cfg_data_list[15];\r\n};\r\nAES encryption algorithm\r\nAES,CBC Mode\r\nKey:A0 D2 89 29 27 78 75 F6 AA 78 C7 98 39 A0 05 ED\r\nIV:39 18 82 62 33 EA 18 BB 18 30 78 97 A9 E1 8A 92\r\nDecrypting the configuration file\r\nAfter decrypting the configuration file, we can see some plain text information in it, for example: session ID,\r\nversion information, reconnection time for C2, C2 information, etc. After successfully connecting to C2, the\r\nconfiguration file will be updated according to received C2 instructions, such as adding new plugin information\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 6 of 23\n\nsupported by the Bot, updated C2 information, etc.\r\nC2 protocol\r\nLinux.Dacls Bot and C2 communication is mainly divided into three stages, and uses TLS and RC4 double-layer\r\nencryption algorithms to ensure data communication security. The first phase is to establish a TLS connection, the\r\nsecond phase is to establish agreement for authentication process (Malware Beaconing), and the third phase is to\r\nsend RC4 encrypted data by Bot.\r\nSSL connection\r\nPhase 2\r\nSeveral Beacon messages and C2 confirm each other's identity are exchanged here.\r\nCmd Direction Encrypted Description\r\n0x20000 send no Beacon\r\n0x20100 recv no Beacon\r\n0x20200 send no Beacon\r\nRC4 encryption and decryption process\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 7 of 23\n\nRC4 Key generation algorithm, generated by random function, Key length range: greater than 0 and less\r\nthan 50\r\nReplacement table generation algorithm, generate replacement table for RC4 encryption based on RC4 Key\r\nEncryption / decryption algorithm, complete encryption / decryption according to the replacement table\r\ngeneration algorithm. Because RC4 is a symmetric encryption algorithm, the encryption / decryption\r\nalgorithm is consistent\r\nRC4 decryption example\r\nAfter completing the protocol authentication, Bot sends the RC4 Key length (the first 4 bytes) and RC4\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 8 of 23\n\nKey data to C2.\r\nC2 receives the encryption key and sends the ciphertext to Bot. After decryption, the command is 0x00000700.\r\nAfter that, Bot will upload the hostname-related information to C2.\r\nKey:\r\na3 2f c2 10 f3 92 79 c3 0e f6 e4 e5 2e 69 29 86\r\n0d 3a 92 f5 b7 23 fc 91 d9 46 91 55 a3 86 5a 47\r\n36 1d 58 2a af d1 6d 3d 49 52 23 77 bc 4d fd 49\r\n87\r\nCiphertext:\r\nfe 3c 2c d7 bf 08 e3 91 d7 00 1f d0\r\nPlaintext:\r\n00 07 00 00 00 00 00 00 00 00 00 00\r\nC2 instruction code table\r\nThe instructions accepted by Linux.Dacls Bot are a total of 12 bytes, but the actual effective size is 4 bytes, and it\r\nis divided into two control modes.\r\nThe first mode: when the third byte is 0, this is to control the Bot main logic.\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 9 of 23\n\nThe following is an example of the network sequence data packet corresponding to the 0x00000700 instruction:\r\nthe mode is 0x00, and the instruction 2 is 0x07 to control Bot to upload host name information\r\nINSTRUCTION 1 INSTRUCTION 2 MODE UNKNOWN\r\n00 07 00 00\r\nThe second mode: when the third byte is 1, the plug-in logic is called.\r\nThe following is an example of the network sequence data packet corresponding to the 0x00010101 instruction:\r\nthe mode is 0x01, and the instruction 1 is 0x01.\r\nINSTRUCTION 1 INSTRUCTION 2 MODE UNKNOWN\r\n01 01 01 00\r\nAfter receiving the instruction, Bot returns 0x20500 on successful execution and 0x20600 on failure.\r\nC2 instruction list for the Bot main logic part\r\nMODULE CMD ENCRYPT Description\r\nCore 0x00000601 Yes Upload C2 configuration information\r\nCore 0x00000602 Yes Download configuration information to $HOME/.memcache\r\nCore 0x00000700 Yes Ask Bot to upload host information\r\nCore 0x00000900 Yes Ask Bot to send heartbeat information\r\nC2 instruction list for the Bot plugin logic\r\nMODULE CMD ENCRYPT Description\r\n/bin/bash 0x00010000 Yes Execute the bash command issued by C2\r\n/bin/bash 0x00010002 Yes\r\nConnect to the specified C2 and execute the issued\r\nsystem command\r\nplugin_file 0x00010100 Yes Write file\r\nplugin_file 0x00010101 Yes Read file\r\nplugin_file 0x00010103 Yes Delete Files\r\nplugin_file 0x00010104 Yes Scanning the directory structure\r\nplugin_file 0x00010110 Yes Download file from specified url\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 10 of 23\n\nMODULE CMD ENCRYPT Description\r\nplugin_process 0x00010200 Yes Scan and upload information about the host process\r\nplugin_process 0x00010201 Yes Kill specified process\r\nplugin_process 0x00010202 Yes Create a daemon process\r\nplugin_process 0x00010204 Yes Obtain and report process PID and PPID\r\nplugin_test 0x00010300 Yes Test whether the specified IP can be reached\r\nplugin_reverse_p2p 0x00010400 Yes C2 Connection proxy\r\nlogsend 0x00011100 Yes Test if the Log server can be accessed\r\nlogsend 0x00011101 Yes\r\nUpload public network port scan results and command\r\nexecution output\r\nlogsend 0x00011102 Yes No operation\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 11 of 23\n\nC2 communication flowchart\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 12 of 23\n\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 13 of 23\n\nPlug-in module\r\nLinux.Dacls Bot uses static compilation to compile the plug-in and Bot code together. By sending different\r\ninstructions to call different plug-ins, various tasks can be completed. The sample we analyzed contains a total of\r\n6 plugins, because the configuration information of the plugin is a continuous array of structures (0x00 ~ 0x0e).\r\nWe guess that Bot may have other more plugins.\r\nEach plug-in has its own corresponding configuration, which is saved in the bot’s configuration file\r\n$HOME/.memcache . When the plug-in is initialized, the configuration information will be loaded.\r\nBash plugin\r\nThe Bash plug-in is plug-in number 0, it mainly supports two functions: receiving and executing system\r\ncommands issued by the C2 server; C2 issues temporary new C2, bot then connects to the temporary C2 and\r\nexecutes system commands issued by the temporary C2.\r\nFile plugin\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 14 of 23\n\nThe main function of the File plugin is file management. In addition to supporting read, write, delete, and find\r\noperations on files, bot can also download files from a designated download server.\r\nProcess plugin\r\nThe main function is process management, including: killing a specified process, creating a daemon process,\r\nobtaining the PID and PPID of the current process, and obtaining process list information.\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 15 of 23\n\nIf the /proc/\u003cpid\u003e/task directory corresponding to the PID in the Linux process exists, the Bot sample will\r\ncollect the following process information:\r\n/proc/\u003cpid\u003e/cmdline Read full name from command line\r\nFrom /proc/\u003cpid\u003e/status reading:\r\nName //process name\r\nUid //user ID\r\nGid //group ID\r\nPPid //parent ID\r\nTest plugin\r\nThe main function is to test network connectivity by connecting the IP address and port specified by C2.\r\nReverse P2P plugin\r\nThe Reverse P2P plug-in is actually a C2 Connection Proxy, it\r\ndirects network traffic between bots and C2 to avoid direct connections to their infrastructure. This is a common\r\nused technique by the Lazarus Group. With connection proxy, the number of target host connections can be\r\nreduced, and the communication between the target and the real C2 can be hidden. In some cases, an infected\r\nintranet host can be used to further penetrates into the isolated network segment.\r\nreverse_p2p plugin initialization\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 16 of 23\n\nWhen Bot receives a command, it first attempts to connect to the specified C2 port to send a 0x21000. If C2\r\nreturns 0x21300, the C2 connection is successful and the Bot will connect to the target IP:port. If it works, it will\r\nreturn 0x21100 to C2, indicating that the forwarding connection has been established and can start forwarding\r\ndata. Now, Bot can forward the data sent by C2 to the target, and at the same time return the data returned by the\r\ntarget to C2, until either party interrupts the connection.\r\nThe following is the working flowchart of the Reverse P2P plugin:\r\nLogSend plugin\r\nThe LogSend plug-in mainly includes three functions: test the connection to the Log server, randomly scan the\r\nentire network's 8291 port and report to the Log server, execute system commands that take a long time and report\r\nthe console output to the Log server in real time.\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 17 of 23\n\nLogSend plugin initialization\r\nLogSend related operation callback function\r\nAfter testing the connection to the Log server, the\r\nBot will send a test request to the Log server. If the Log server returns {\"result\":\"ok\"} , indicating that the test\r\nwas successful, C2 can issue more LogSend instructions.\r\nSending the POST request using the HTTP interface address specified by C2 and the built-in User-Agent\r\nPOST /%s HTTP/1.0\r\nHost: %s\r\nContent-Length: 9\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.18\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nCache-Control: no-cache\r\nConnection: close\r\nlog=check\r\nRandomly scan port 8291 on the entire network and report the result to the Log server.\r\nAfter receiving the instruction, Bot will randomly generate a public IP address according to 3 built-in rules and try\r\nto connect to their port 8291. If the connection is successful, the scan result will be returned to the log server.\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 18 of 23\n\nIP generation rules:\r\nip = \u003cpart1\u003e.\u003cpart2\u003e.\u003cpart3\u003e.\u003cpart4\u003e\r\nrule1: part1 != 127\r\nrule2: part1 == 172 and (part2 \u003c= 15 or part2 \u003e 31)\r\nrule3: part1 != 192 and part2 != 168\r\nrule4: part1 != 10\r\nThe random IP generation algorithm is as follows\r\nWe can see that Bot hard-codes the TCP / 8291 port and calls the system connect function to perform port scan. It\r\nonly checks whether the port is open and does not send payload data. We are not sure why TCP 8291 is targeted,\r\nbut we know that the Winbox protocol of the MikroTik Router device works on TCP / 8291 port and is exposed on\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 19 of 23\n\nthe Internet. Previously we also disclosed 2 articles about the TCP / 8291 port threat incident [1][2].\r\nExecute bash command which takes a long time to finish and report the console output to the Log server in real\r\ntime.\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 20 of 23\n\nExecute the bash command and forward the output to the Log server.\r\nAll reported Log data is submitted by HTTP POST. The format of the payload section is as follows:\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 21 of 23\n\nlog=save\u0026session_id=\u003csession id\u003e\u0026value=\u003clog content\u003e\r\nSuggestions\r\nWe recommend that Confluence users patch their system in a timely manner and check whether they have been\r\ninfected based on the process name, file name, and TCP network connection used by Dacls RAT.\r\nWe recommend that readers monitor and block Dacls RAT-related IPs, URLs and domain names.\r\nContact us\r\nReaders are always welcomed to reach us on twitter, WeChat 360Netlab or email to netlab at 360 dot cn.\r\nIoC list\r\nSample MD5\r\n6de65fc57a4428ad7e262e980a7f6cc7\r\n80c0efb9e129f7f9b05a783df6959812\r\n982bf527b9fe16205fea606d1beed7fa\r\n8910bdaaa6d3d40e9f60523d3a34f914\r\na99b7ef095f44cf35453465c64f0c70c\r\nbea49839390e4f1eb3cb38d0fcaf897e\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 22 of 23\n\ncef99063e85af8b065de0ffa9d26cb03\r\ne883bf5fd22eb6237eb84d80bbcf2ac9\r\nHard-coded C2 IP:\r\n23.81.246.179 United States ASN19148 Leaseweb USA, Inc.\r\n23.254.119.12 Canada ASN55286 B2 Net Solutions Inc.\r\n23.227.196.116 United States ASN35017 Swiftway Sp. z o.o.\r\n37.72.175.179 United States ASN29802 HIVELOCITY, Inc.\r\n23.227.199.53 United States ASN35017 Swiftway Sp. z o.o.\r\n107.172.197.175 United States ASN36352 ColoCrossing\r\n172.93.201.219 United States ASN20278 Nexeon Technologies, Inc.\r\n64.188.19.117 United States ASN8100 QuadraNet Enterprises LLC\r\n74.121.190.121 United States ASN23033 Wowrack.com\r\n192.210.213.178 United States ASN36352 ColoCrossing\r\n209.90.234.34 United States ASN23033 Wowrack.com\r\n198.180.198.6 United States ASN26658 HT\r\nURL\r\nhttp://www.areac-agr.com/cms/wp-content/uploads/2015/12/check.vm\r\nhttp://www.areac-agr.com/cms/wp-content/uploads/2015/12/hdata.dat\r\nhttp://www.areac-agr.com/cms/wp-content/uploads/2015/12/ldata.dat\r\nhttp://www.areac-agr.com/cms/wp-content/uploads/2015/12/mdata.dat\r\nhttp://www.areac-agr.com/cms/wp-content/uploads/2015/12/r.vm\r\nhttp://www.areac-agr.com/cms/wp-content/uploads/2015/12/rdata.dat\r\nhttp://www.areac-agr.com/cms/wp-content/uploads/2015/12/sdata.dat\r\nSource: https://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat-en/\r\nPage 23 of 23\n\nalgorithm is consistent RC4 decryption example \nAfter completing the protocol authentication, Bot sends the RC4 Key length (the first 4 bytes) and RC4\n Page 8 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.netlab.360.com/dacls-the-dual-platform-rat-en/" ], "report_names": [ "dacls-the-dual-platform-rat-en" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434254, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b2dad72795c1653d0326702e554f5b9c1f977ed8.pdf", "text": "https://archive.orkl.eu/b2dad72795c1653d0326702e554f5b9c1f977ed8.txt", "img": "https://archive.orkl.eu/b2dad72795c1653d0326702e554f5b9c1f977ed8.jpg" } }