QiAnXin analyzes DTrack samples tied in public reporting to the Kudankulam nuclear plant intrusion in India, including a sample disclosed on VirusTotal with an embedded KKNPP-related username. The report describes an MFC dropper that extracts shellcode, DTrack RAT behavior that encrypts and ZIP-compresses collected files, and related variants with device fingerprinting, encrypted strings, command-file download logic, and multiple persistence methods. Infrastructure and indicators include MD5 hashes, internal IP references, and external URLs such as heromessi.com and hawai-tour.com paths that appear to be hosted on compromised sites. The authors note strong similarities between DTrack code and Kaspersky’s DTrack reporting, and connect ZIP password/code overlap to McAfee’s Operation Troy material, which had been attributed historically to Lazarus Group.