S0497: Dacls
Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.[1][2]
Analyst context for executives and security teams
Dacls matters because it is a multi-platform remote access tool: if it is present, defenders should treat it as potential hands-on-keyboard access across macOS, Linux, or Windows environments rather than a single-host nuisance. The ATT&CK relationships show behaviors that affect executive risk decisions: stealth through encoded or hidden files and masquerading, discovery of processes and files, web-protocol command and control, tool transfer, and macOS persistence through Launch Agents or Launch Daemons.
Executive priority
Prioritize Dacls as a validation case for cross-platform endpoint visibility and macOS security maturity. Leaders should ask whether SOC and IR teams can prove collection and response readiness for macOS persistence, Linux/macOS/Windows hidden artifacts, web-based command-and-control patterns, and post-compromise file or process discovery. Because ATT&CK links Dacls to Lazarus Group, threat intelligence and incident communications should preserve that context, but local evidence is required before making attribution or impact claims.
Technical view
For SOC and IR teams, use the related techniques to test coverage rather than relying on a malware name alone. Validate telemetry for encoded or encrypted files, masqueraded names or locations, process enumeration, file and directory enumeration, inbound tool transfer, web-protocol C2, hidden files or directories, and macOS Launch Agent/Launch Daemon creation or modification. Since ATT&CK provides no official detection text for Dacls, detection engineering should focus on behavior chains across supported platforms, especially combinations of stealth, discovery, persistence, and network communication.
Likely telemetry
- Endpoint process execution and command-line metadata on macOS, Linux, and Windows
- File creation, modification, rename, metadata, and hidden attribute or hidden path monitoring
- macOS LaunchAgent and LaunchDaemon plist creation or modification events
- Network telemetry for HTTP/S or other web-protocol outbound connections
- File transfer evidence from endpoint, proxy, firewall, or EDR sources
Detection direction
- Build behavior-based detections around correlated stealth plus discovery plus web-protocol communication rather than static signatures alone.
- Tune macOS detections for LaunchAgent and LaunchDaemon changes, distinguishing legitimate software installation and administration from unusual persistence paths or timing.
- Review false positives for process and file discovery because administrators, security tools, and management agents can generate similar activity.
- Validate whether hidden files/directories and masqueraded artifact names are visible in current endpoint tooling across all supported platforms.
- Use the Lazarus Group relationship as intelligence context, not as automatic attribution without corroborating incident evidence.
Mitigation priorities
- First, close visibility gaps: ensure endpoint and network telemetry covers macOS, Linux, and Windows assets in scope.
- Harden macOS persistence surfaces by controlling and monitoring LaunchAgent and LaunchDaemon locations and requiring appropriate administrative oversight.
- Apply least privilege and software control practices to reduce unauthorized persistence, tool transfer, and execution opportunities.
- Use egress monitoring and network controls to scrutinize unusual web-protocol command-and-control patterns while accounting for normal business traffic.
- Prepare IR playbooks to triage remote access tooling by collecting persistence artifacts, process/file discovery evidence, file transfer records, and outbound network history.
Analyst notes and limits
The most decision-relevant point is Dacls’ cross-platform nature and its mapped behaviors. It is especially useful for assessing whether macOS is covered to the same standard as Windows and Linux in detection, response, and compliance evidence. Relationship context links Dacls to Lazarus Group and to techniques spanning stealth, discovery, command and control, tool transfer, and macOS persistence.
ATT&CK does not provide official detection guidance for this object, and the supplied tactics field for the malware itself is not specified. This take is limited to the supplied STIX fields, external references, and relationships; it does not assert active exploitation, local exposure, successful compromise, or guaranteed detection.
Dacls
Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | Dacls can download its payload from a C2 server.CitationSentinelOne Lazarus macOS July 2020CitationTrendMicro macOS Dacls May 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Dacls can use HTTPS in C2 communications.CitationSentinelOne Lazarus macOS July 2020CitationTrendMicro macOS Dacls May 2020 |
| Enterprise | T1057 | Process Discovery | Dacls can collect data on running and parent processes.CitationTrendMicro macOS Dacls May 2020 |
| Enterprise | T1543.001 | Launch Agent Sub-technique | Dacls can establish persistence via a LaunchAgent.CitationSentinelOne Lazarus macOS July 2020CitationTrendMicro macOS Dacls May 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Dacls can encrypt its configuration file with AES CBC.CitationTrendMicro macOS Dacls May 2020 |
| Enterprise | T1543.004 | Launch Daemon Sub-technique | Dacls can establish persistence via a Launch Daemon.CitationSentinelOne Lazarus macOS July 2020CitationTrendMicro macOS Dacls May 2020 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Dacls has had its payload named with a dot prefix to make it hidden from view in the Finder application.CitationSentinelOne Lazarus macOS July 2020CitationTrendMicro macOS Dacls May 2020 |
| Enterprise | T1083 | File and Directory Discovery | Dacls can scan directories on a compromised host.CitationTrendMicro macOS Dacls May 2020 |
| Enterprise | T1036 | Masquerading | The Dacls Mach-O binary has been disguised as a .nib file.CitationSentinelOne Lazarus macOS July 2020 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 671ff0390d09… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro macOS Dacls May 2020
Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
Open source URL -
[2]
SentinelOne Lazarus macOS July 2020
Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
Open source URL -
[3]
mitre-attack S0497Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.