S0694: DRATzarus
DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.[1]
Analyst context for executives and security teams
DRATzarus matters because it represents a Windows remote access tool associated in ATT&CK with Lazarus Group activity against defense and aerospace organizations. For leaders, the practical issue is not the malware name alone; it is whether the organization can quickly prove visibility into remote access behavior, local data collection, host and user discovery, tool transfer, and web-based command-and-control patterns if a similar RAT appears in a sensitive environment.
Executive priority
Prioritize this as an espionage-relevant remote access capability tied to sectors where intellectual property, national security programs, regulated data, and operational continuity are material. Executives should ask whether SOC and incident response teams can validate Windows endpoint coverage, web egress visibility, malware-analysis readiness for packed or obfuscated files, and evidence preservation for discovery and collection activity. For compliance and risk owners, the value is demonstrating that controls and logs can support investigation of unauthorized remote access, data staging, and command-and-control behavior rather than relying only on known malware signatures.
Technical view
ATT&CK lists DRATzarus as Windows malware with no official detection text, so defenders should build validation around the related behaviors: Data from Local System, Remote System Discovery, Obfuscated Files or Information, Software Packing, System Owner/User Discovery, Match Legitimate Resource Name or Location, Process Discovery, Web Protocols, Ingress Tool Transfer, Native API, System Time Discovery, Time Based Checks, and Debugger Evasion. SOC teams should confirm that Windows endpoint telemetry can show suspicious process execution, process and user enumeration, unusual file access or collection patterns, masqueraded file names or locations, and tool downloads. Network teams should validate visibility into HTTP/S or other web-protocol command-and-control-like traffic while accounting for the high false-positive rate of normal web traffic.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- File creation, modification, access, and suspicious placement telemetry
- Endpoint detection alerts for packed, obfuscated, or masqueraded executables
- User and logged-on session discovery evidence
- Process enumeration and system discovery events
Detection direction
- Do not depend only on the DRATzarus name or static signatures; ATT&CK provides no official detection guidance for this object.
- Validate behavior-based detections for Windows discovery activity, including user, process, remote system, and system time discovery.
- Tune web-protocol command-and-control analytics against normal business web traffic to reduce false positives while preserving visibility into unusual destinations, timing, and host context.
- Look for suspicious file placement or names that approximate legitimate resources, especially when combined with new executable creation or unexpected execution.
- Correlate packed or obfuscated binaries with execution, network egress, and follow-on discovery rather than treating packing alone as conclusive.
Mitigation priorities
- Maintain strong Windows endpoint prevention and monitoring coverage on systems that handle sensitive defense, aerospace, government, or high-value business data.
- Restrict and monitor outbound web traffic where operationally feasible, with proxy, DNS, and firewall logging retained for investigations.
- Harden least-privilege access and reduce unnecessary local data exposure so local collection from a compromised endpoint has less business impact.
- Control software execution and file download paths through application control, endpoint policy, and user privilege management where appropriate.
- Prepare incident response playbooks for suspected RAT activity, including host isolation, memory and disk collection, credential exposure review, and egress analysis.
Analyst notes and limits
The supplied ATT&CK object identifies DRATzarus as a RAT used by Lazarus Group and related to Operation Dream Job, with historical targeting of defense and aerospace organizations and additional campaign context involving defense, aerospace, government, and other sectors. The most useful defensive framing is behavior-led: remote access, discovery, data collection, obfuscation, masquerading, tool transfer, and web-protocol communications on Windows systems.
MITRE provides no official detection text, no aliases, no explicit tactics on the malware object, and only the supplied relationships define the behavioral scope here. Local telemetry, baselines, asset criticality, and confirmed indicators are required before assessing exposure, incident impact, or detection coverage. The presence of related ATT&CK techniques does not prove current exploitation or compromise in any environment.
DRATzarus
DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | DRATzarus can obtain a list of users from an infected machine.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1622 | Debugger Evasion | DRATzarus can use `IsDebuggerPresent` to detect whether a debugger is present on a victim.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1124 | System Time Discovery | DRATzarus can use the `GetTickCount` and `GetSystemTimeAsFileTime` API calls to inspect system time.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1005 | Data from Local System | DRATzarus can collect information from a compromised host.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | DRATzarus can deploy additional tools onto an infected machine.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | DRATzarus has been named `Flash.exe`, and its dropper has been named `IExplorer`.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1018 | Remote System Discovery | DRATzarus can search for other machines connected to compromised host and attempt to map the network.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1106 | Native API | DRATzarus can use various API calls to see if it is running in a sandbox.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1027.002 | Software Packing Sub-technique | DRATzarus's dropper can be packed with UPX.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1057 | Process Discovery | DRATzarus can enumerate and examine running processes to determine if a debugger is present.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | DRATzarus can use HTTP or HTTPS for C2 communications.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | |
| Enterprise | T1027 | Obfuscated Files or Information | DRATzarus can be partly encrypted with XOR.CitationClearSky Lazarus Aug 2020 |
Groups, software, and campaigns
C0022: Operation Dream Job
Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | c333853570d9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ClearSky Lazarus Aug 2020
ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
Open source URL -
[2]
mitre-attack S0694Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.