Kaspersky’s Dtrack analysis links the RAT family to Lazarus through code similarities with older malware and activity against India’s financial sector and research centers. The investigation began with ATMDtrack banking malware targeting Indian ATMs and expanded to more than 180 Dtrack samples uncovered through shared code sequences. Droppers stored encrypted payloads in PE overlays, decrypted them at runtime, and used process hollowing to run spying components under system process names. The report details a Lazarus-associated espionage toolset focused on payload concealment, process hollowing, and data collection.