{ "id": "d9b3ca20-c39c-4c2e-88f8-d72a0f911daf", "created_at": "2026-04-06T00:12:32.355088Z", "updated_at": "2026-04-10T03:38:19.771238Z", "deleted_at": null, "sha1_hash": "dd94de18f8a02f10335543bec2f7eb9f1b90655e", "title": "Hello! My name is Dtrack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 90902, "plain_text": "Hello! My name is Dtrack\r\nBy Konstantin Zykov\r\nPublished: 2019-09-23 · Archived: 2026-04-05 18:23:41 UTC\r\nOur investigation into the Dtrack RAT actually began with a different activity. In the late summer of 2018, we\r\ndiscovered ATMDtrack, a piece of banking malware targeting Indian banks. Further analysis showed that the\r\nmalware was designed to be planted on the victim’s ATMs, where it could read and store the data of cards that\r\nwere inserted into the machines. Naturally, we wanted to know more about that ATM malware, so we used YARA\r\nand Kaspersky Attribution Engine to uncover more interesting material: over 180 new malware samples of a spy\r\ntool that we now call Dtrack.\r\nAll the Dtrack samples we initially found were dropped samples, as the real payload was encrypted with various\r\ndroppers — we were able to find them because of the unique sequences shared by ATMDtrack and the Dtrack\r\nmemory dumps. After that, it got very interesting, because once we decrypted the final payload and used\r\nKaspersky Attribution Engine again, we saw similarities with the DarkSeoul campaign, dating back to 2013 and\r\nattributed to the Lazarus group. It seems that they reused part of their old code to attack the financial sector and\r\nresearch centers in India. According to our telemetry, the last activity of DTrack was detected in the beginning of\r\nSeptember 2019.\r\nTechnical details\r\nThe dropper has its encrypted payload embedded as an overlay of a PE file as extra data that will never be used in\r\nnormal execution steps. Its decryption routine, part of an executable physical patch, begins somewhere between\r\nthe start() and WinMain() functions. A fun fact is that the malware authors embedded their malicious code into a\r\nbinary that was a harmless executable. In some cases, it was the default Visual Studio MFC project, but it could be\r\nany other program.\r\nThe decrypted overlay data contains the following artifacts:\r\nan extra executable;\r\nprocess hollowing shellcode;\r\na list of predefined executable names, which the malware uses as a future process name.\r\nAfter decryption of the data, the process hollowing code is started, taking the name of the process to be hollowed\r\nas an argument. The name comes from the predefined list found within the decrypted overlay. All the names come\r\nfrom the %SYSTEM32% folder, as you can see in the decrypted file list below.\r\nfontview.exe\r\ndwwin.exe\r\nwextract.exe\r\nrunonce.exe\r\ngrpconv.exe\r\nhttps://securelist.com/my-name-is-dtrack/93338/\r\nPage 1 of 4\n\nmsiexec.exe\r\nrasautou.exe\r\nrasphone.exe\r\nextrac32.exe\r\nmobsync.exe\r\nverclsid.exe\r\nctfmon.exe\r\ncharmap.exe\r\nwrite.exe\r\nsethc.exe\r\ncontrol.exe\r\npresentationhost.exe\r\nnapstat.exe\r\nsystray.exe\r\nmstsc.exe\r\ncleanmgr.exe\r\nWhat is inside the dropper?\r\nAfter execution, the target of the process hollowing is suspended until its memory is overwritten with the\r\ndecrypted executable payload from the dropper overlay. After this, the target process resumes.\r\nThe droppers contain a variety of executables, all of these intended for spying on the victim. Below is an\r\nincomplete functionality list for the various Dtrack payload executables found:\r\nkeylogging,\r\nretrieving browser history,\r\ngathering host IP addresses, information about available networks and active connections,\r\nlisting all running processes,\r\nlisting all files on all available disk volumes.\r\nAt this point, the design philosophy of the framework becomes a bit unclear. Some of the executables pack the\r\ncollected data into a password protected archive and save it to the disk, while others send the data to the C\u0026C\r\nserver directly.\r\nAside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT\r\nexecutable allows criminals to perform various operations on a host, such as uploading/downloading, executing\r\nfiles, etc. For a full list of operations, see the table below.\r\ncommand id description\r\n1003 upload a file to the victim’s computer\r\n1005 make target file persistent with auto execution on the victim’s host start\r\n1006 download a file from the victim’s computer\r\nhttps://securelist.com/my-name-is-dtrack/93338/\r\nPage 2 of 4\n\n1007 dump all disk volume data and upload it to a host controlled by criminals\r\n1008 dump a chosen disk volume and upload it to a host controlled by criminals\r\n1011 dump a chosen folder and upload it to a host controlled by criminals\r\n1018 set a new interval timeout value between new command checks\r\n1023 exit and remove the persistence and the binary itself\r\ndefault execute a process on the victim’s host\r\nDtrack and ATMDTrack malware similarities\r\nATMDTrack is a subset of the DTrack family. They naturally look different despite their similarities. For example,\r\nDtrack’s payload is encrypted within a dropper—unlike the ATMDTrack samples, which were not encrypted at all.\r\nBut after decrypting the Dtrack payload, it becomes clear that the developers are the same group of people: both\r\nprojects have the same style and use the same implemented functions. The most obvious function they have in\r\ncommon is the string manipulation function. It checks if there is a CCS_ substring at the beginning of the\r\nparameter string, cuts it out and returns a modified one. Otherwise, it uses the first byte as an XOR argument and\r\nreturns a decrypted string.\r\nhttps://securelist.com/my-name-is-dtrack/93338/\r\nPage 3 of 4\n\nFunctions common to the two families (the functions/arguments were named by the researchers)\r\nConclusions\r\nWhen we first discovered ATMDtrack, we thought we were just looking at another ATM malware family, because\r\nwe see new ATM malware families appearing on a regular base. However, this case proved once again that it is\r\nimportant to write proper YARA rules and have a solid working attribution engine, because this way you can\r\nuncover connections with malware families that have appeared in the past. One of the most memorable examples\r\nof this was the WannaCry attribution case. Now we can add another family to the Lazarus group’s arsenal:\r\nATMDtrack and Dtrack.\r\nThe vast amount of Dtrack samples that we were able to find shows that the Lazarus group is one of the most\r\nactive APT groups in terms of malware development. They continue to develop malware at a fast pace and expand\r\ntheir operations. We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years\r\nlater, we see them in India, attacking financial institutions and research centers. And once again, we see that this\r\ngroup uses similar tools to perform both financially-motivated and pure espionage attacks.\r\nTo succeed in spying, the criminals should be able to gain at least partial control over the internal network. This\r\nmeans that the target organizations may have a number of security issues, such as:\r\nweak network security policies,\r\nweak password policies,\r\nlack of traffic monitoring.\r\nWe therefore advise the companies to:\r\ntighten their network and password policies,\r\nuse traffic monitoring software, such as Kaspersky Anti Targeted Attack Platform (KATA),\r\nuse antivirus solutions.\r\nIoCs\r\n8f360227e7ee415ff509c2e443370e56\r\n3a3bad366916aa3198fd1f76f3c29f24\r\nF84de0a584ae7e02fb0ffe679f96db8d\r\nSource: https://securelist.com/my-name-is-dtrack/93338/\r\nhttps://securelist.com/my-name-is-dtrack/93338/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://securelist.com/my-name-is-dtrack/93338/" ], "report_names": [ "93338" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434352, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dd94de18f8a02f10335543bec2f7eb9f1b90655e.pdf", "text": "https://archive.orkl.eu/dd94de18f8a02f10335543bec2f7eb9f1b90655e.txt", "img": "https://archive.orkl.eu/dd94de18f8a02f10335543bec2f7eb9f1b90655e.jpg" } }