{
	"id": "94a382ed-1160-4d59-ad81-7cee9ebe54cd",
	"created_at": "2026-04-06T00:08:36.918553Z",
	"updated_at": "2026-04-10T03:28:19.113495Z",
	"deleted_at": null,
	"sha1_hash": "252a76a63dc947a76b0af12c6c897542aa9d6a40",
	"title": "Tracing the Lineage of DarkSeoul",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 27838,
	"plain_text": "Tracing the Lineage of DarkSeoul\r\nBy Created by:David Martin\r\nArchived: 2026-04-05 13:42:14 UTC\r\nThis paper presents a case study of the April 2013 'DarkSeoul' cyber-attack, which crippled tens of thousands of\r\ncomputers in South Korea's banking and media sectors through the use of destructive malware. While the attack\r\nwas initially believed to be the work of hacktivists, malware researchers discovered it was actually the outgrowth\r\nof a multi-year cyber-espionage campaign waged by the North Korean government. By analyzing the code\r\ncommonalities and tracing the malware used in a number ofseemingly unrelated incidents, researchers were able\r\nto trace the evolution of the intruders' techniques and reach the conclusion that the attacks represented a targeted\r\nattack by North Korea. At the same time, the South Korean government reached the sameconclusion through its\r\ninvestigation and publically attributed the attacks to North Korea. In particular, this study will focus on the\r\nmalware lineage analysis techniques used by researchers and identify critical security controls that were subverted\r\nin order to successfully launch the attack. This study will also address critical security controls that could have\r\nhelped prevent this attack, or significantly mitigated its damage.\r\nSource: https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787\r\nhttps://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787"
	],
	"report_names": [
		"tracing-lineage-darkseoul-36787"
	],
	"threat_actors": [
		{
			"id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d",
			"created_at": "2024-05-01T02:03:07.943593Z",
			"updated_at": "2026-04-10T02:00:03.795229Z",
			"deleted_at": null,
			"main_name": "BRONZE EDISON",
			"aliases": [
				"APT4 ",
				"DarkSeoul",
				"Maverick Panda ",
				"Salmon Typhoon ",
				"Sodium ",
				"Sykipot ",
				"TG-0623 ",
				"getkys"
			],
			"source_name": "Secureworks:BRONZE EDISON",
			"tools": [
				"Gh0st RAT",
				"Wkysol",
				"ZxPortMap"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434116,
	"ts_updated_at": 1775791699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/252a76a63dc947a76b0af12c6c897542aa9d6a40.pdf",
		"text": "https://archive.orkl.eu/252a76a63dc947a76b0af12c6c897542aa9d6a40.txt",
		"img": "https://archive.orkl.eu/252a76a63dc947a76b0af12c6c897542aa9d6a40.jpg"
	}
}