Connect with us

Hi, what are you looking for?


Malware & Threats

North Korean Hackers Developing Malware in Dlang Programming Language

North Korean hackers have used Dlang-based malware in attacks against manufacturing, agriculture, and physical security organizations.

The North Korea-linked hacking group Lazarus has been observed deploying Dlang malware in attacks against organizations in the manufacturing, agriculture, and physical security sectors, Cisco’s Talos security researchers report.

Released in 2001, Dlang, or simply D, is a multi-paradigm system programming language built upon the idea of C++, but drawing inspiration from C#, Eiffel, Java, Python, Ruby, and other high-level languages as well. 

Dlang is considered an uncommon programming language for malware development, but has started attracting malware developers, likely due to its versatility and easy learning curve. Dlang allows developers to cross-compile applications for multiple architectures.

Since March 2023, Lazarus, an advanced persistent threat (APT) actor sponsored by the North Korean government, has been observed using three malware families built using Dlang, namely the NineRAT and DLRAT remote access trojans (RATs), and the BottomLoader downloader.

The malware families, Cisco reports, were used as part of Operation Blacksmith, in which Lazarus targeted systems unpatched against the infamous Log4Shell vulnerability (CVE-2021-44228), to deploy NineRAT against a South American agricultural organization and a European manufacturing business.

The observed attacks overlap with activity that can be attributed to Onyx Sleet, a North Korean group also known as Plutionium and Andariel. However, common consensus across the cybersecurity industry is that North Korean state-sponsored hackers operate under the Lazarus umbrella.

Likely built around May 2022, NineRAT uses Telegram for receiving commands from its command-and-control (C&C) server, likely to evade detection. After deployment, the RAT achieves persistence and becomes the main method of interaction with the infected host.

The malware can harvest system information, upgrade to a new version, stop its execution, uninstall itself, and upload files from the infected machine.

Advertisement. Scroll to continue reading.

The BottomLoader downloader can fetch and execute a payload from a hardcoded URL, and has been observed deploying the custom proxy tool HazyLoad against the European manufacturer and against a South Korean physical security and surveillance firm.

BottomLoader was also designed to achieve persistence for newer versions or for its dropped payloads, through the creation of a URL file in the system’s Startup directory.

Lazarus’ third Dlang malware family is DLRAT, which functions both as a downloader and as a backdoor. It includes hardcoded commands for system reconnaissance, but can also execute commands to download and upload files, rename files, and delete itself from the machine.

As part of Operation Blacksmith, Lazarus was seen exploiting Log4Shell on internet-accessible VMware Horizon servers for initial access, followed by reconnaissance and the deployment of the HazyLoad implant. In some cases, a new user account was created for persistent access to the system.

Lazarus also employed utilities such as ProcDump and MimiKatz for credential dumping, and then deployed the NineRAT backdoor to the system.

Related: North Korean Hackers Have Stolen Over $3 Billion in Cryptocurrency: Report

Related: US Sanctions North Korean Cyberespionage Group Kimsuky

Related: Rigged Software and Zero-Days: North Korean APT Caught Hacking Security Researchers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.