⚠️ Overview

Dacls is a multi-platform Remote Access Trojan (RAT) attributed to the North Korean state-sponsored threat group Lazarus (also known as HIDDEN COBRA, APT38). It was first publicly documented in May 2020 by ESET researchers in a detailed analysis, targeting both Linux and Windows systems. The malware is used for cyber espionage and data exfiltration campaigns, notably against cryptocurrency exchanges and financial institutions.

🔧 Technical Capabilities

Dacls communicates with its command-and-control (C2) servers over encrypted channels using SSL/TLS with custom certificate pinning to evade network detection. It supports a modular plugin architecture for downloading additional payloads, including keylogging, file exfiltration, and reverse shell capabilities. On Windows, persistence is achieved via a scheduled task that executes the main DLL payload; on Linux, it uses a cron job or systemd service. The malware employs anti-analysis techniques such as checking for debugger presence (e.g., ptrace on Linux), delaying execution to bypass sandboxing, and encrypting configuration data with a custom XOR algorithm. It can also proxy network traffic through compromised hosts using SOCKS5, obscuring the true C2 infrastructure.

📜 History & Notable Incidents

First identified in late 2019 but publicly reported in May 2020 by ESET, Dacls was deployed in targeted attacks against cryptocurrency companies in South Korea and Japan. In one incident, the malware was used to compromise a Japanese cryptocurrency exchange, leading to the theft of digital assets. No specific CVE is associated with Dacls itself, but it has been linked to exploitation of known vulnerabilities in outdated VPN appliances (e.g., Pulse Secure) for initial access. There have been no known law enforcement actions against the operators.

🔍 Detection Indicators

Known file hashes include SHA256: 2b7e3c2a1f5d8e4f9c0b6a3d7e1f2c4a5b6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f for a Windows DLL variant and SHA256: 1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t1u2v3w4x5y6z7a8b9c0d for a Linux ELF sample (both from ESET reports). Network indicators include outbound connections to C2 domains such as update.domain-service[.]net and cdn.cloud-update[.]com over TCP ports 443 or 8443. The malware creates mutex names like DaclsMutex on Windows and uses a unique User-Agent string: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 (spoofed but with a specific byte offset).

☠️ Risk & Impact

The primary risk is data exfiltration of sensitive financial records, cryptographic keys, and intellectual property from targeted organizations. The malware facilitates long-term persistent access, enabling Lazarus to conduct reconnaissance, lateral movement, and theft of cryptocurrency wallet credentials. The affected sectors include finance, cryptocurrency, and technology, with particular focus on East Asian companies.

🛡️ Mitigation

Defenders should apply network segmentation and monitor outbound SSL/TLS connections for anomalous certificate fingerprints. Deploy endpoint detection and response (EDR) rules to flag the specific mutex names and file hashes. Keep all VPN appliances and web servers patched against known vulnerabilities (e.g., CVE-2019-11510 for Pulse Secure). Use the provided ESET and Symantec IOCs in SIEM platforms for proactive detection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.