Lazarus hackers now targeting Linux and Windows- Dalcs Malware

Recently researchers have discovered a new RAT(Remote Access Trojan) which was previously unknown called “Dacls” from the infamous hacking group ‘Lazarus APT hackers’ group and it was designed to target Windows and Linux users.

This group was also known as HIDDEN COBRA (by the United States Intelligence Community) and Zinc (by Microsoft) and is famous for hacking Sony Pictures at the end of November 2014 and behind the WannaCry ransomware.

Lazarus Malware Analysis

Although it was the first malware seen from Lazarus hacking group to attack Linux distro and there were only two antivirus engines that discovered the suspicious content of the ELF file sample. This trojan is capable of attacking both Linux and Windows users named Win32.Dacls and Linux.Dacls.

Researchers from NetLab360 observed a hard-coded string features c_2910.cls and k_3872.cls from the collected sample.

A sample of Lazarus malware win32.dalcs that is downloaded from and has been marked by the virus total team as a sample associated with Lazarus Group.

This RAT also features a reverse P2P plug that act as a  C2 Connection Proxy that routes traffic between bots and C2 server which is act as an indirect connection to the operator.

This is a commonly used technique by the Lazarus Group. With connection proxy, the number of target host connections can be reduced, and the communication between the target and the real C2 can be hidden


Researchers confirmed that Lazarus Group used the CVE-2019-3396 N-day vulnerability to spread the Dacls Bot program.

Netlabs360 has published a report related to Dalcs

Leave a Reply

Your email address will not be published. Required fields are marked *

three × 1 =

Do NOT follow this link or you will be banned from the site!