North Korean hackers target European orgs with updated malware

Share:

North Korean hackers are using a new version of the DTrack backdoor to attack organizations in Europe and Latin America.

DTrack is a modular backdoor featuring a keylogger, a screenshot snapper, a browser history retriever, a running processes snooper, an IP address and network connection information snatcher, and more.

Apart from spying, it can also run commands to perform file operations, fetch additional payloads, steal files and data, and execute processes on the compromised device.

The new malware version doesn’t feature many functional or code changes compared to samples analyzed in the past, but it is now deployed far more widely.

A wider distribution

As Kaspersky explains in a report published today, their telemetry shows DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States.

The targeted sectors include government research centers, policy institutes, chemical manufacturers, IT service providers, telecommunication providers, utility service providers, and education.

In the new campaign, Kaspersky has seen DTrack distributed using filenames commonly associated with legitimate executables.

For example, one sample they shared is distributed under the ‘NvContainer.exe’ file name, which is the same name as a legitimate NVIDIA file.

Kaspersky told BleepingComputer that DTrack continues to be installed by breaching networks using stolen credentials or exploiting Internet-exposed servers, as seen in previous campaigns.

When launched, the malware goes through multiple decryption steps before its final payload is loaded via process hollowing into an “explorer.exe” process, running directly from memory.

Chunk decryption routine (Kaspersky)

The only differences to past DTrack variants are it now uses API hashing to load libraries and functions instead of obfuscated strings, and that the number of C2 servers has been cut by half to just three.

Some of the C2 servers uncovered by Kaspersky are “pinkgoat[.]com”, “purewatertokyo[.]com”, “purplebear[.]com”, and “salmonrabbit[.]com.”

DTrack attribution

Kaspersky attributes this activity to the North Korean Lazarus hacking group and claims the threat actors use DTrack whenever they see the potential for financial gains.

In August 2022, the same researchers linked the backdoor to the North Korean hacking group tracked as ‘Andariel,’ which deployed Maui ransomware in corporate networks in the U.S. and South Korea.

In February 2020, Dragos linked DTrack to a North Korean threat group, ‘Wassonite,’ which attacked nuclear energy and oil and gas facilities.

https://www.bleepingcomputer.com/news/security/north-korean-hackers-target-european-orgs-with-updated-malware/

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
10:08 pm, Jul 10, 2025
weather icon 22°C
L: 22° | H: 24°
few clouds
Humidity: 64 %
Pressure: 1022 mb
Wind: 5 mph SE
Wind Gust: 12 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 15%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:55 am
Sunset: 9:16 pm
DailyHourly
Daily ForecastHourly Forecast
Tomorrow 10:00 pm
weather icon
22° | 24°°C 0 mm 0% 8 mph 68 % 1022 mb 0 mm/h
Sat Jul 12 10:00 pm
weather icon
19° | 30°°C 0 mm 0% 10 mph 67 % 1019 mb 0 mm/h
Sun Jul 13 10:00 pm
weather icon
18° | 31°°C 0 mm 0% 7 mph 69 % 1015 mb 0 mm/h
Mon Jul 14 10:00 pm
weather icon
19° | 28°°C 1 mm 100% 17 mph 86 % 1016 mb 0 mm/h
Tue Jul 15 10:00 pm
weather icon
15° | 26°°C 0 mm 0% 12 mph 69 % 1022 mb 0 mm/h
Tomorrow 1:00 am
weather icon
19° | 21°°C 0 mm 0% 5 mph 63 % 1022 mb 0 mm/h
Tomorrow 4:00 am
weather icon
16° | 18°°C 0 mm 0% 3 mph 68 % 1021 mb 0 mm/h
Tomorrow 7:00 am
weather icon
20° | 20°°C 0 mm 0% 2 mph 64 % 1021 mb 0 mm/h
Tomorrow 10:00 am
weather icon
27° | 27°°C 0 mm 0% 3 mph 45 % 1021 mb 0 mm/h
Tomorrow 1:00 pm
weather icon
31° | 31°°C 0 mm 0% 4 mph 31 % 1020 mb 0 mm/h
Tomorrow 4:00 pm
weather icon
31° | 31°°C 0 mm 0% 5 mph 26 % 1018 mb 0 mm/h
Tomorrow 7:00 pm
weather icon
30° | 30°°C 0 mm 0% 6 mph 29 % 1017 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
23° | 23°°C 0 mm 0% 8 mph 49 % 1019 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€97,013.64
2.31%
Ethereum(ETH)
€2,410.88
2.96%
Tether(USDT)
€0.85
0.03%
XRP(XRP)
€2.13
4.25%
Solana(SOL)
€137.06
2.37%
USDC(USDC)
€0.85
-0.01%
Dogecoin(DOGE)
€0.160105
2.99%
Shiba Inu(SHIB)
€0.000011
3.62%
Pepe(PEPE)
€0.000010
4.83%
Scroll to Top