Detection Content: MATA Multi-platform malware framework by Lazarus APT

Last week, researchers reported on the latest notorious Lazarus APT tool, which has been used in the group’s attacks since spring 2018. Their new ‘toy’ was named MATA, it is a modular cross-platform framework with several components including a loader, orchestrator, and multiple plugins that can be used to infect Windows, Linux, and macOS systems. Lazarus group used MATA for ransomware deployment and data theft in attacks targeting corporate entities from Poland, Germany, Turkey, Korea, Japan, and India.

MATA framework is capable of loading plugins into the attacked system’s memory to run commands, manipulate files and processes, inject DLLs, create HTTP proxies and tunnels on Windows devices. Adversaries can also use the MATA plugins to scan for new targets on macOS and Linux-based machines, and researchers discovered a module that can be used to configure proxy servers on macOS platform.

Osman Demir published a community rule that helps security solutions to uncover this threat:


The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio


EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint



Tactics: Execution, Defense Evasion

Techniques: Modify Registry (T1112), Windows Management Instrumentation (T1047)


It is worth noting that at the end of last year, Qihoo 360 Netlab researchers also published information about some modifications of this framework, which they called Dacls. The content for their detection was also developed by the participants of the Threat Bounty Program:

Dacls RAT (Lazarus’s Linux Malware) by Ariel Millahuel

APT38 – Lazarus Dacls RAT Win/Linux detection rule by Emanuele De Lucia –

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts