The North Korea-linked APT group Lazarus is behind a new hacking campaign that exploits Log4j vulnerabilities to deploy previously undocumented remote access trojans (RATs). Cisco Talos researchers tracked the campaign as Operation Blacksmith, the nation-state actors are employing at least three new DLang-based malware families. Two of these malware strains are remote access trojans (RATs), respectively tracked as NineRAT and “DLRAT”. The former relies on Telegram bots and channels for C2 communications.

Talos believes that NineRAT was built around May 2022, but was first spotted on March 2023 as part of Operation Blacksmith.