{
	"id": "8bd6eb6d-7beb-4187-87bf-bda25dc71194",
	"created_at": "2026-04-06T00:13:53.78509Z",
	"updated_at": "2026-04-10T03:28:19.188952Z",
	"deleted_at": null,
	"sha1_hash": "fcd3e57f6ea8de52f10e120df008a3df8eec65cb",
	"title": "Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 263541,
	"plain_text": "Four Years of DarkSeoul Cyberattacks Against South Korea\r\nContinue on Anniversary of Korean War\r\nArchived: 2026-04-05 18:22:06 UTC\r\nYesterday, June 25, the Korean peninsula observed a series of cyberattacks coinciding with the 63rd anniversary\r\nof the start of the Korean War. While multiple attacks were conducted by multiple perpetrators, one of the\r\ndistributed denial-of-service (DDoS) attacks observed yesterday against South Korean government websites can\r\nbe directly linked to the DarkSeoul gang and Trojan.Castov.\r\nWe can now attribute multiple previous high-profile attacks to the DarkSeoul gang over the last 4 years against\r\nSouth Korea, in addition to yesterday’s attack. These attacks include the devastating Jokra attacks in March 2013\r\nthat wiped numerous computer hard drives at South Korean banks and television broadcasters, as well as the\r\nattacks on South Korean financial companies in May 2013.\r\nConducting DDoS attacks and hard disk wiping on key historical dates is not new for the DarkSeoul gang. They\r\npreviously conducted DDoS and wiping attacks on the United States Independence Day as well.\r\n \r\nFigure 1. Four years of DarkSeoul activity\r\n \r\nThe DarkSeoul gang’s attacks tend to follow similar methods of operation. Trademarks of their attacks include:\r\nhttps://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war\r\nPage 1 of 4\n\nMulti-staged, coordinated attacks against high-profile targets in South Korea\r\nDestructive payloads, such as hard disk wiping and DDoS attacks configured to trigger on historically\r\nsignificant dates\r\nOverwriting disk sectors with politically-themed strings\r\nUse of legitimate third-party patching mechanisms in order to spread across corporate networks\r\nSpecific encryption and obfuscation methods\r\nUse of specific third-party webmailer servers to store files\r\nUse of similar command-and-control structures\r\nThe attacks conducted by the DarkSeoul gang have required intelligence and coordination, and in some cases have\r\ndemonstrated technical sophistication. While nation-state attribution is difficult, South Korean media reports have\r\npointed to an investigation which concluded the attackers were working on behalf of North Korea. Symantec\r\nexpects the DarkSeoul attacks to continue and, regardless of whether the gang is working on behalf of North\r\nKorea or not, the attacks are both politically motivated and have the necessary financial support to continue acts of\r\ncybersabotage on organizations in South Korea. Cybersabotage attacks on a national scale have been rare—\r\nStuxnet and Shamoon (W32.Disttrack) are the other two main examples. However, the DarkSeoul gang is almost\r\nunique in its ability to carry out such high-profile and damaging attacks over several years.\r\n \r\nhttps://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war\r\nPage 2 of 4\n\nhttps://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war\r\nPage 3 of 4\n\nFigure 2. Castov DDoS attack\r\nThe Castov DDoS attack occurs in the following manner:\r\n1. Compromised website leads to the download of SimDisk.exe (Trojan.Castov), a Trojanized version of a\r\nlegitimate application.\r\n2. SimDisk.exe drops two files onto the compromised system: SimDisk.exe (Clean), the legitimate non-Trojanized version, and SimDiskup.exe (Downloader.Castov).\r\n3. Downloader.Castov connects to a second compromised server to download the C.jpg file\r\n(Downloader.Castov), an executable file which appears to be an image.\r\n4. Threat uses the Tor network to download Sermgr.exe (Trojan.Castov).\r\n5. Castov drops the Ole[VARIABLE].dll file (Trojan.Castov) in the Windows system folder.\r\n6. Castov downloads the CT.jpg file from a Web server hosting a ICEWARP webmail, that has been\r\ncompromised as a result of publicly known vulnerabilities in ICEWARP. The CT.jpg file contains a\r\ntimestamp used by Castov to synchronize attacks.\r\n7. Once this time is reached, Castov drops Wuauieop.exe (Trojan.Castdos).\r\n8. Castdos begins to overload the Gcc.go.kr DNS server with DNS requests, effectively performing a DDoS\r\nattack affecting multiple websites.\r\nSource: https://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-so\r\nuth-korea-continue-anniversary-korean-war\r\nhttps://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war"
	],
	"report_names": [
		"four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war"
	],
	"threat_actors": [
		{
			"id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d",
			"created_at": "2024-05-01T02:03:07.943593Z",
			"updated_at": "2026-04-10T02:00:03.795229Z",
			"deleted_at": null,
			"main_name": "BRONZE EDISON",
			"aliases": [
				"APT4 ",
				"DarkSeoul",
				"Maverick Panda ",
				"Salmon Typhoon ",
				"Sodium ",
				"Sykipot ",
				"TG-0623 ",
				"getkys"
			],
			"source_name": "Secureworks:BRONZE EDISON",
			"tools": [
				"Gh0st RAT",
				"Wkysol",
				"ZxPortMap"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434433,
	"ts_updated_at": 1775791699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fcd3e57f6ea8de52f10e120df008a3df8eec65cb.pdf",
		"text": "https://archive.orkl.eu/fcd3e57f6ea8de52f10e120df008a3df8eec65cb.txt",
		"img": "https://archive.orkl.eu/fcd3e57f6ea8de52f10e120df008a3df8eec65cb.jpg"
	}
}