Lazarus Group Is Still Juicing Log4Shell, Using RATs Written in D

The infamous vulnerability may be on the older side at this point, but North Koreas primo APT Lazarus is creating new, unique malware around it at a remarkable clip.

North Korean hackers are still exploiting Log4Shell around the world. And lately, theyre using that access to attack organizations with one of three new remote access Trojans (RATs) written in the rarely seen D (aka dlang) programming language.
The group behind this scheme —
Andariel (aka Onyx Sleet, Plutonium)
— is one of many entities within Lazarus, the umbrella cybercrime collective. Andariel specializes in obtaining initial access and persistence for longer-term espionage campaigns in service of the Kim Jung Un regime. In some cases, though, it has carried out its own ransomware attacks against healthcare organizations.
Since March, Cisco Talos
has observed three Andariel attacks
of note using Log4Shell: against an agriculture organization in South America, a European manufacturing company, and an American subsidiary of a Korean physical security company.
In each of these cases, the group has deployed novel malware written in an unpopular C++ offshoot programming language known as D, with the intent to throw off detection and analysis. As Cisco Talos head of outreach Nick Biasini emphasizes, this is what makes North Koreas hackers most unique.
For a long time tooling has been collapsing — everybody kind of uses the same tool sets to obscure attribution, he says. Lazarus has gone the exact opposite direction. They go crazy with writing bespoke malware.
Andariels recent attacks began by exploiting
exposed VMware Horizon servers carrying Log4Shell
, the now 2-year-old historic vulnerability in Apache Log4j.
The flaw (CVE-2021-44228) is a max-severity vulnerability that rates 10 out of 10 on the CVSS bug-severity scale. Due to the ubiquity of the Log4J Java library that it impacted, researchers estimated that affected systems were in the hundreds of millions when it was first discovered.
Two years on and multiple “the sky is falling” headlines later, Veracode reported last week that more than a third (38%) of all in-use applications are
still using vulnerable versions of Log4j
.
Its possible that organizations have software that they dont even realize was affected by Log4j — it was so widely used that the cascading impacts are still really being felt today, Biasini says with some sympathy, and a caveat. That being said, patching is still something that organizations struggle with.
In the three recent campaigns that the researchers highlighted, Log4Shell was used to achieve initial access. After the intrusion, to establish persistence, the attackers dropped HazyLoad, a custom proxy tool. Next, they created new users with administrative privileges on the host machine, which they used to download credential harvesting software like Mimikatz and, ultimately, their custom malware tools.
Andariels current arsenal includes NineRAT, a dropper-cum-backdoor that uses Telegram as its command-and-control (C2) base; DLRAT, used for downloading additional malware and executing commands on infected hosts; and a downloader called BottomLoader.
Though outwardly unexceptional, these new tools do stand out for being written in D, a 22-year-old offshoot of C++.
Some hackers achieve stealth with living-off-the-land (LotL) techniques. Some use code obfuscation, steganography, and more elaborate tricks. In contrast, North Korean hackers — more so than anyone else, it seems — resist detection and analysis by building custom malware in bulk, using old, unloved programming languages their adversaries arent expecting.
A lot of malware detection is either written for specific malware variants, or written in ways that detect more general characteristics of malware, Biasini explains. Novel malware — which the DPRK creates plenty of — serves to defeat antivirus scans looking for specific signatures, and oddball languages like D add a layer of difficulty for programs trained on more common ones.
Lazarus proved as much with
QuiteRAT, its recently discovered tool
built with Qt, a program designed for building graphical user interfaces. By using these weird programming languages, they can potentially evade some of those detections. Maybe the endpoint detection wont flag that weird RAT thats written in dlang, but if they pulled a RAT that was written in C or C++, itd get flagged immediately, Biasini says.
Its for this reason that Lazarus attacks demand just a bit of extra vigilance.
Its going to take you a while to get your feet underneath you and understand how this works, Biasini cautions, because logically its all the same, but it just does it in a different format.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Lazarus Group Is Still Juicing Log4Shell, Using RATs Written in D