DeltaCharlie is a variant of malware developed by the North Korean hacking collective, the Lazarus Group, to create a distributed denial-of-service (DDoS) botnet. It runs on infected systems as a svchost-based service and its capabilities include conducting Domain Name System (DNS) DDoS attacks, Network Time Protocol (NTP) DDoS attacks, and Character Generation Protocol (CHARGEN) DDoS attacks. DeltaCharlie can also download additional malware onto infected systems, update its code and configurations, and terminate its own processes.

On June 14, 2017, the U.S. Department of Homeland Security and the FBI published a joint report that includes DeltaCharlie indicators of compromise (IoCs) and YARA rules. This information is available through US-CERT Alert (TA17-164A).

Reporting and Technical Details:

  • DHS and FBI Publish Details on DeltaCharlie, North Korea's DDoS Botnet (Bleeping Computer)
  • HIDDEN COBRA - North Korea's DDoS Botnet Infrastructure (US-CERT)
  • Operation BLOCKBUSTER - Unraveling the Long Thread of the Sony Attack (NOVETTA)