The second backdoor was named Dolphin because the executable contained the term. Besides collecting basic information about the targeted machine (including the operating system version, malware version, list of installed security products, username, and computer name), the backdoor has a wide range of spying capabilities, including monitoring drives and portable devices; exfiltrating files of interest; keylogging; taking screenshots; and stealing credentials from browsers. Its functionality is reserved for selected targets after an initial compromise with less advanced malware.

By default, Dolphin searches all fixed hard drives and non-fixed drives, creates directory listings, and exfiltrates files by extension. Dolphin also searches portable devices, such as smartphones, via the Windows Portable Device API. The backdoor also steals credentials from browsers, and is capable of keylogging and taking screenshots. Finally, it stages this data in encrypted ZIP archives before uploading to Google Drive, which is also used for command-and-control communication. 

One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their security, presumably to maintain Gmail account access for the threat actors.

APT37, which deploys Dolphin, primarily focuses on South Korea and seems to be interested mainly in government and military organizations, and firms in various industries linked to North Korean interests. Since the initial discovery of Dolphin in April 2021, ESET researchers have observed multiple versions of the backdoor, in which capabilities were improved, and more features were added to evade detection.