ThreatBook describes Lazarus using Dtrack RAT in an intrusion that exposed large volumes of medical files and affected servers or PCs across multiple countries and regions. The operators compromised public-facing servers and reused them as Dtrack C2 infrastructure, a pattern the report links to Lazarus scan, brute force, and exploit activity. The client decrypts configuration with RC4, collects host and registration details, checks in over HTTP, and supports file transfer, remote shell, and encrypted command results. Server-side PHP components on compromised hosts stored victim check-ins, issued commands, and held tools and stolen data, giving defenders C2 URLs and related IOCs for detection.