We’ll describe how, from signaturing the cryptographic routines used in TrackDrop, we were able to map out an extensive range of tools that it has delivered to Lazarus’ targets. In this talk, we will take attendees on our journey analysing the Dtrack remote access trojan, and discuss how the hunt for Dtrack led us to further discoveries: a dropper family PwC calls TrackDrop, and further connections between Lazarus Group and the related threat actor known as Andariel. We will also present further evidence connecting Lazarus Group and Andariel - and making the case for why PwC tracks them as one: Black Artemis. In particular, we’ll discuss how we noticed TrackDrop deliver a specific downloader we call ANONYBR, which is uniquely associated with Andariel - raising interesting issues on attribution and threat actor tracking.