{ "id": "428fd94c-4beb-4216-9997-9b9aaf872b21", "created_at": "2026-04-06T00:12:50.060515Z", "updated_at": "2026-04-10T03:38:19.188873Z", "deleted_at": null, "sha1_hash": "eee1f454a1ef57a040cd3fe40c4edaa9c062f0ef", "title": "Threat Analysis: Active C2 Discovery Using Protocol Emulation Part4 (Dacls, aka MATA)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 477776, "plain_text": "Threat Analysis: Active C2 Discovery Using Protocol Emulation\r\nPart4 (Dacls, aka MATA)\r\nBy Takahiro Haruyama\r\nPublished: 2022-11-21 · Archived: 2026-04-05 21:03:59 UTC\r\nDacls, aka MATA, is a cross-platform RAT used by the DPRK-linked Lazarus Group and the first artifacts were\r\nobserved around April 2018. The VMware Threat Analysis Unit (TAU) first discovered the Dacls C2 servers on\r\nthe Internet by protocol emulation in August 2020. TAU is providing details here on how to detect the C2 servers\r\nand the scanning result. \r\nDacls C2 Protocol Initial Communication \r\nIn late 2019, 360 Netlab published the technical details of Dacls, including its C2 protocol details. The C2\r\nprotocol utilizes TLS and RC4 double-layer encryption. After establishing a TLS connection, Dacls beacons to the\r\nC2 server and then exchanges a key for the RC4 encryption. The initial communication between the Dacls client\r\nand C2 is shown in Figure 1. \r\nhttps://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html\r\nPage 1 of 5\n\nFigure 1: Dacls initial communication phase (source: 360 Netlab blog) \r\nhttps://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html\r\nPage 2 of 5\n\nThe beacon packet size is 4 bytes and the data referred to as an “opcode” is sent in little endian. After beaconing\r\n(0x20000/0x20100/0x20200), the Dacls client sends 12 bytes of data whose first 4 bytes data is an opcode\r\n(0x20300) telling the C2 to send an RC4 key and the remaining data is just null bytes. Following that, a randomly-generated RC4 key is sent with its size information as the size is also random. \r\nAfter the RC4 key is exchanged, the communication is encrypted with RC4. The Dacls client waits for a command\r\n(opcode) from the C2. The first command can be 0x602 (config download), 0x900 (heartbeat), or 0x700 (sending\r\nhost information), based on code analysis, but TAU has observed that the C2 always sends 0x700 first. \r\nFigure 2: Dacls C2 command loop \r\nhttps://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html\r\nPage 3 of 5\n\nLast but not least, Dacls RAT implements a server mode. However, all IPs discovered by TAU’s C2 scanner likely\r\nbelong to hosted service providers, so we don’t have to consider the possibility of server mode infections.\r\nKaspersky also pointed out that the server mode was never used. \r\nThreat Actor in Operation? \r\nTAU implemented a scanner emulating the Dacls initial communication and then scanned the Internet to discover\r\nactive Dacls C2 servers. \r\nIt should be noted that the C2 doesn’t always send the command after the RC4 key exchange. Some servers send\r\n0x700 and others do not. Besides, one server sometimes sends and sometimes doesn’t. For instance,\r\n35.246.189[.]81 always sends 0x700 but 23.94.139[.]92 and 172.87.222[.]3 only send it in the specific time as\r\nshown in the following logs. TAU hypothesizes that the first command is sent only when the threat actor is in\r\noperation. \r\n———–\r\n[35.246.189.81]\r\n2021/04/15 15:13:14,35.246.189.81,active,00010200\r\n2021/04/15 15:13:15,35.246.189.81,active,RC4 key exchanged,000700000000000000000000\r\n2021/05/06 01:55:32,35.246.189.81,active,00010200\r\n2021/05/06 01:55:32,35.246.189.81,active,RC4 key exchanged,000700000000000000000000\r\n2021/05/10 22:02:37,35.246.189.81,active,00010200\r\n2021/05/10 22:02:38,35.246.189.81,active,RC4 key exchanged,000700000000000000000000\r\n2021/05/28 00:24:58,35.246.189.81,active,00010200\r\n2021/05/28 00:24:59,35.246.189.81,active,RC4 key exchanged,000700000000000000000000\r\n2021/06/06 05:52:04,35.246.189.81,active,00010200\r\n2021/06/06 05:52:04,35.246.189.81,active,RC4 key exchanged,000700000000000000000000\r\n2021/06/24 09:08:13,35.246.189.81,active,00010200\r\n2021/06/24 09:08:14,35.246.189.81,active,RC4 key exchanged,000700000000000000000000\r\n2021/07/06 23:01:24,35.246.189.81,active,00010200\r\n2021/07/06 23:01:25,35.246.189.81,active,RC4 key exchanged,000700000000000000000000\r\n2021/08/03 22:01:09,35.246.189.81,active,00010200\r\n2021/08/03 22:01:10,35.246.189.81,active,RC4 key exchanged,000700000000000000000000\r\n2021/08/30 03:55:55,35.246.189.81,active,00010200\r\n2021/08/30 03:55:56,35.246.189.81,active,RC4 key exchanged,000700000000000000000000\r\n[23.94.139.92]\r\n2021/01/17 14:25:15,23.94.139.92,active,00010200\r\n2021/02/11 00:46:27,23.94.139.92,active,00010200\r\n2021/02/11 00:46:33,23.94.139.92,active,RC4 key exchanged,00070000000000001fdc28ef\r\n2021/02/21 18:50:53,23.94.139.92,active,00010200\r\nhttps://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html\r\nPage 4 of 5\n\n[172.87.222.3]\r\n2020/11/25 18:09:53,172.87.222.3,active,00010200\r\n2020/11/25 18:10:07,172.87.222.3,active,RC4 key exchanged,00070000000000005e10795b\r\n2020/12/09 07:03:26,172.87.222.3,active,00010200\r\n2020/12/09 07:03:36,172.87.222.3,active,RC4 key exchanged,000700000000000068f4492b\r\n2020/12/26 19:37:18,172.87.222.3,active,00010200\r\n2021/01/05 06:15:09,172.87.222.3,active,00010200\r\n2021/01/05 06:15:21,172.87.222.3,active,RC4 key exchanged,0007000000000000b9dc64f4\r\n2021/01/17 02:59:35,172.87.222.3,active,00010200\r\n2021/02/11 18:53:29,172.87.222.3,active,00010200\r\n2021/02/23 20:45:35,172.87.222.3,active,00010200 \r\n———–\r\nOur C2 scanner detects IPs sending back the RC4-encrypted command (0x700), and those just returning the\r\nbeacon (0x20100) as the Dacls C2 servers. The detection condition may cause false positives but there has been\r\nno issue since the discovered C2 IOCs started to be utilized by our endpoint products in September 2020. \r\nWrap-up \r\nBy emulating the Dacls C2 protocol and scanning the Internet, TAU has identified 121 Dacls C2 servers over the\r\npast 2 years. The discovered C2 IOCs are available on our GitHub page. The Dacls active C2s have been\r\ndeclining, but multiple C2s are still active now. TAU will continue tracking the malware infrastructure in real-time\r\nas long as the threat actor uses it. \r\nSource: https://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html\r\nhttps://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html" ], "report_names": [ "threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434370, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eee1f454a1ef57a040cd3fe40c4edaa9c062f0ef.pdf", "text": "https://archive.orkl.eu/eee1f454a1ef57a040cd3fe40c4edaa9c062f0ef.txt", "img": "https://archive.orkl.eu/eee1f454a1ef57a040cd3fe40c4edaa9c062f0ef.jpg" } }