S0567: Dtrack
Analyst context for executives and security teams
Dtrack matters because ATT&CK describes it as Windows spyware associated with collection, discovery, stealth, persistence, and credential-access behaviors, with reported use against financial, research, and nuclear-sector environments. For leaders, the value is not the malware name alone; it is a reminder to validate whether Windows endpoint monitoring, identity controls, and incident response playbooks can expose quiet reconnaissance, keylogging, local data staging, and service-based persistence before sensitive data or operational context is lost.
Executive priority
Prioritize Dtrack as a resilience and evidence-readiness use case for high-value Windows environments, especially where sensitive research, finance operations, or cyber-physical dependencies exist. Executives should ask whether the organization can prove coverage for endpoint execution, Windows service changes, registry queries, process injection indicators, credential misuse, and data staging. The ATT&CK relationship to Lazarus Group increases threat-intelligence relevance, but local risk decisions should still be based on exposed assets, monitored telemetry, and incident response readiness rather than assumed targeting.
Technical view
SOC and IR teams should map Dtrack coverage to the ATT&CK relationships: Windows Command Shell execution, Windows service and autostart persistence, registry and system discovery, process hollowing, keylogging, local data collection/staging/archive activity, file deletion, embedded payloads, shared module loading, and valid account abuse. Because no official ATT&CK detection text is provided, detection engineering should validate behavior-based analytics rather than rely on a named-malware signature. Focus on correlated sequences: suspicious cmd execution followed by discovery commands, registry queries, service creation or modification, unusual module loading or process hollowing signals, collection from local files or browser data, archive creation, and cleanup activity.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows service creation/modification and boot/logon autostart evidence
- Registry access and modification logs where available
- EDR memory/process injection or process hollowing alerts
- File system events for discovery, staging, archive creation, embedded payload drops, and deletion
Detection direction
- Build detections around behavior chains, not only Dtrack-specific names or hashes, because the ATT&CK object provides no official detection guidance.
- Correlate discovery activity such as registry, process, network configuration, network connections, system information, and file/directory enumeration with later staging or archive activity.
- Tune Windows service and autostart detections to distinguish approved administration/software deployment from unusual persistence paths, suspicious binaries, or unexpected account context.
- Validate process hollowing and shared-module-loading visibility through EDR telemetry; these are common blind spots when only basic Windows logs are collected.
- Review keylogging-related alerts carefully because direct evidence may depend on endpoint sensor capability and can be noisy without process lineage and user context.
Mitigation priorities
- Harden and monitor privileged and remote-capable accounts, including MFA and least privilege where applicable, because ATT&CK maps Dtrack to Valid Accounts.
- Restrict and audit Windows service creation, boot/logon autostarts, and command shell use on sensitive systems.
- Ensure EDR or equivalent endpoint controls can observe process injection, suspicious module loading, file staging, archive creation, and deletion.
- Reduce unnecessary local sensitive data exposure on Windows endpoints and enforce data handling controls for high-value systems.
- Maintain application control, script/command execution governance, and change control for systems supporting finance, research, or operational technology-adjacent functions.
Analyst notes and limits
The supplied ATT&CK object identifies Dtrack as Windows spyware discovered in 2019 and reports use against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. ATT&CK also relates Dtrack to Lazarus Group and to multiple techniques spanning execution, discovery, collection, stealth, persistence, credential access, and command-and-control. This take uses those relationships for defensive prioritization but does not infer current activity, customer exposure, or guaranteed detection.
Official ATT&CK detection guidance is not provided for this malware object. The relationship context gives technique mappings but not complete procedures, indicators, commands, hashes, infrastructure, or validated analytic logic. Local telemetry, asset criticality, identity architecture, and endpoint control coverage are required to determine actual risk and detection quality.
Dtrack
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1005 | Data from Local System | Dtrack can collect a variety of information from victim machines.CitationCyberBit Dtrack |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Dtrack can save collected data to disk, different file formats, and network shares.CitationSecurelist DtrackCitationCyberBit Dtrack |
| Enterprise | T1082 | System Information Discovery | Dtrack can collect the victim's computer name, hostname and adapter information to create a unique identifier.CitationSecurelist DtrackCitationCyberBit Dtrack |
| Enterprise | T1574 | Hijack Execution Flow | One of Dtrack can replace the normal flow of a program execution with malicious code.CitationCyberBit Dtrack |
| Enterprise | T1056.001 | Keylogging Sub-technique | Dtrack’s dropper contains a keylogging executable.CitationSecurelist Dtrack |
| Enterprise | T1547 | Boot or Logon Autostart Execution | Dtrack’s RAT makes a persistent target file with auto execution on the host start.CitationSecurelist Dtrack |
| Enterprise | T1543.003 | Windows Service Sub-technique | Dtrack can add a service called WBService to establish persistence.CitationCyberBit Dtrack |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Dtrack has used |
| Enterprise | T1078 | Valid Accounts | Dtrack used hard-coded credentials to gain access to a network share.CitationCyberBit Dtrack |
| Enterprise | T1070.004 | File Deletion Sub-technique | Dtrack can remove its persistence and delete itself.CitationSecurelist Dtrack |
| Enterprise | T1217 | Browser Information Discovery | Dtrack can retrieve browser history.CitationSecurelist DtrackCitationCyberBit Dtrack |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.CitationCyberBit Dtrack |
| Enterprise | T1049 | System Network Connections Discovery | Dtrack can collect network and active connection information.CitationSecurelist Dtrack |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | Dtrack has used a dropper that embeds an encrypted payload as extra data.CitationSecurelist Dtrack |
| Enterprise | T1012 | Query Registry | Dtrack can collect the RegisteredOwner, RegisteredOrganization, and InstallDate registry values.CitationCyberBit Dtrack |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Dtrack has used process hollowing shellcode to target a predefined list of processes from |
| Enterprise | T1083 | File and Directory Discovery | Dtrack can list files on available disk volumes.CitationSecurelist DtrackCitationCyberBit Dtrack |
| Enterprise | T1016 | System Network Configuration Discovery | Dtrack can collect the host's IP addresses using the |
| Enterprise | T1057 | Process Discovery | Dtrack’s dropper can list all running processes.CitationSecurelist DtrackCitationCyberBit Dtrack |
| Enterprise | T1560 | Archive Collected Data | Dtrack packs collected data into a password protected archive.CitationSecurelist Dtrack |
| Enterprise | T1129 | Shared Modules | Dtrack contains a function that calls |
| Enterprise | T1105 | Ingress Tool Transfer | Dtrack’s can download and upload a file to the victim’s computer.CitationSecurelist DtrackCitationCyberBit Dtrack |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Dtrack has used a decryption routine that is part of an executable physical patch.CitationSecurelist Dtrack |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | a0232f85d639… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Dtrack
Kaspersky Global Research and Analysis Team. (2019, September 23). DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers. Retrieved January 20, 2021.
Open source URL -
[2]
Securelist Dtrack
Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
Open source URL -
[3]
Dragos WASSONITE
Dragos. (n.d.). WASSONITE. Retrieved January 20, 2021.
Open source URL -
[4]
CyberBit Dtrack
Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
Open source URL -
[5]
ZDNet Dtrack
Catalin Cimpanu. (2019, October 30). Confirmed: North Korean malware found on Indian nuclear plant's network. Retrieved January 20, 2021.
Open source URL -
[6]
mitre-attack S0567Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.