North Korean Hackers Utilize Dlang-Based Malware in Targeted Attacks

North Korean hackers have recently been employing Dlang-based malware, a relatively uncommon programming language, for malicious purposes. Lazarus, a North Korea-linked hacking group, has been identified as the culprit behind these attacks. This article delves into the rise of Dlang in malware development and provides an analysis of Lazarus’ three Dlang malware families. It also explores the overlapping activity with another North Korean group, Onyx Sleet (also known as Plutionium and Andariel). Furthermore, the article examines the functionality of each malware family, the exploitation techniques employed by Lazarus, and the implications of these targeted attacks.

Dlang as an Uncommon Programming Language for Malware Development

The adoption of Dlang by malware developers has surged in recent years due to its versatility and easy learning curve. This shift in the choice of programming language needs to be understood in the context of the targeted attacks carried out by North Korean hackers.

The Three Malware Families Built with Dlang by Lazarus

Lazarus has utilized three distinct malware families, namely NineRAT, DLRAT, and BottomLoader, all developed using Dlang. Each family serves its purpose in different stages of the attack process, contributing to the success of Lazarus’ operations. These malware families have been in use by Lazarus since March 2023.

Overlapping Activity with Onyx Sleet (Plutonium and Andariel)

The observed attacks demonstrate an overlap with the activities of Onyx Sleet, another North Korean hacking group also known as Plutonium and Andariel. The connection between Lazarus and Onyx Sleet raises concerns about the coordinated efforts of these groups and their combined capabilities.

Analysis of NineRAT

Introduced around May 2022, NineRAT operates by receiving commands from its command-and-control (C&C) server via Telegram. The use of Telegram allows Lazarus to evade detection and maintain communication with the compromised systems.

Features of BottomLoader

Designed as a downloader, BottomLoader fetches and executes payloads from hardcoded URLs. Notably, it has been observed deploying the custom proxy tool, HazyLoad, in targeted attacks against a European manufacturer and a South Korean physical security and surveillance firm.

Functionality of DLRAT

DLRAT serves a dual purpose as both a downloader and a backdoor. This combination allows Lazarus to establish persistent access to compromised systems and subsequently download additional malware or execute various commands.

Exploitation Techniques Employed by Lazarus

Lazarus has demonstrated proficiency in exploiting known vulnerabilities to gain initial access to target environments. The exploitation of Log4Shell on internet-accessible VMware Horizon servers has been observed, followed by reconnaissance and the deployment of the HazyLoad implant. The group also employs utilities like ProcDump and Mimikatz for credential dumping. Ultimately, the NineRAT backdoor is deployed to gain complete control over the compromised systems.

The use of Dlang-based malware by North Korean hackers, particularly Lazarus, poses a significant threat to organizations in various sectors, including manufacturing, agriculture, and physical security. The overlapping activities between Lazarus and Onyx Sleet highlight the coordinated efforts of these North Korean hacking groups. Continued monitoring and robust cybersecurity measures are crucial to combating these threats and protecting targeted organizations from the evolving tactics and techniques employed by state-sponsored cybercriminals.

Explore more

How Can AI Boost Productivity While Managing Risks?

Introduction Imagine a world where businesses operate at peak efficiency, with mundane tasks handled seamlessly by machines, allowing employees to focus on innovation and strategy. This scenario is not a distant dream but a reality shaped by artificial intelligence (AI), a technology revolutionizing productivity across industries. The ability of AI to transform operations, from automating routine processes to predicting market

How Is OpenAI Revolutionizing Enterprise Voice AI Technology?

In an era where seamless communication can make or break a business, the rapid advancements in artificial intelligence are transforming how enterprises interact with customers and streamline operations. Imagine a contact center where AI agents handle calls with the finesse of a human operator, scheduling appointments, resolving queries, and even interpreting visual data in real time. This is no longer

How Is Silk Typhoon Targeting Cloud Systems in North America?

In the ever-evolving world of cybersecurity, few threats are as persistent and sophisticated as state-linked hacker groups. Today, we’re diving deep into the activities of Silk Typhoon, a China-nexus espionage group making waves with their targeted attacks on cloud environments. I’m thrilled to be speaking with Dominic Jainy, an IT professional with extensive expertise in artificial intelligence, machine learning, and

How to Master GEO Content Creation with 10 Essential Tips

In an era where artificial intelligence shapes the digital search landscape, optimizing content for Generative Engine Optimization (GEO) has become a critical strategy for brands aiming to stand out. With a significant portion of users, especially younger demographics, relying on AI tools for content discovery—studies suggest over 35%—the need to adapt to this shift is undeniable. Traditional search engine optimization

Why Is Small Business Data a Goldmine for Cybercriminals?

What if the greatest danger to a small business isn’t a failing economy or fierce competition, but an invisible predator targeting its most valuable asset—data? In 2025, cybercriminals are zeroing in on small enterprises, exploiting their often-overlooked vulnerabilities with devastating precision. A single breach can shatter a company’s finances and reputation, yet many owners remain unaware of the looming risk.