S0249: Gold Dragon
Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. [1]
Analyst context for executives and security teams
Gold Dragon matters because it represents a Windows data-gathering implant associated in ATT&CK with Olympic-related targeting and a broader espionage group relationship. For leaders, the practical issue is not the malware name itself, but whether Windows endpoint, web traffic, registry, command-shell, collection, and persistence evidence is sufficient to reconstruct a data-gathering intrusion before staging, archiving, or tool transfer activity becomes an incident-response blind spot.
Executive priority
Prioritize validation of Windows endpoint visibility and incident-response readiness around discovery, persistence, collection, and command-and-control behaviors. This object has no official ATT&CK detection guidance, so confidence should come from control evidence: endpoint logging, registry monitoring, command execution records, web egress review, and the ability to investigate local data staging or archive creation. It is most relevant to organizations concerned with espionage-style data collection, event-related targeting, and audit evidence that security monitoring can support post-compromise investigation.
Technical view
ATT&CK lists Gold Dragon as Windows malware and relates it to behaviors including Query Registry, System Owner/User Discovery, Process Discovery, Windows Command Shell, File Deletion, Web Protocols, Local Data Staging, System Information Discovery, File and Directory Discovery, Ingress Tool Transfer, Security Software Discovery, Registry Run Keys / Startup Folder, Archive Collected Data, and Disable or Modify Tools. SOC and IR teams should validate coverage across the full chain: host discovery commands and registry access, run key or startup folder persistence, suspicious cmd.exe usage, local staging and archive artifacts, file deletion, inbound tool transfer, and outbound web-protocol communications. Because ATT&CK provides no detection text for this malware, detections should be behavior-led rather than name-led.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows Registry access and modification events, especially Run Keys and startup-related locations
- File creation, deletion, directory enumeration, staging-location, and archive-creation evidence
- User, system, process, security software, and file discovery activity from host logs or EDR
- Network egress metadata and proxy/DNS/web traffic records for HTTP/S-style command-and-control patterns
Detection direction
- Validate behavior-based analytics for the related ATT&CK techniques rather than relying on malware-family signatures alone.
- Tune for suspicious combinations: registry querying plus system/user/process discovery, cmd.exe execution, local staging or archive creation, followed by web egress.
- Review Run Key and startup-folder changes for persistence, with attention to user-context execution on Windows systems.
- Correlate file deletion after tool execution or staging activity as potential cleanup behavior, while accounting for legitimate software installers, scripts, and administrative maintenance.
- Confirm visibility into security software discovery or modification attempts, since this can indicate preparation to avoid or impair monitoring.
Mitigation priorities
- Ensure Windows endpoint logging and retention are sufficient for registry, process, file, command-line, and security-tool health investigation.
- Restrict and monitor unnecessary command-shell and script-driven administrative activity where operationally feasible.
- Harden persistence locations such as Registry Run Keys and startup folders with change monitoring and least-privilege controls.
- Improve egress governance and monitoring for unusual web-protocol communications from endpoints.
- Maintain incident-response playbooks for discovery-to-collection sequences, including local staging, archive handling, and evidence preservation after file deletion.
Analyst notes and limits
Gold Dragon is described by ATT&CK as a Korean-language data-gathering implant first observed in South Korea in July 2017 and used with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. ATT&CK also relates the malware to Kimsuky and to multiple discovery, execution, persistence, collection, command-and-control, defense-impairment, and cleanup techniques. These relationships are useful for building defensive hypotheses, but local telemetry is required to determine relevance in a specific environment.
ATT&CK does not provide official detection guidance for this object, and the supplied object lists no tactics directly on the malware record. The assessment is therefore based on the official description, external references, Windows platform field, and provided relationship context. No claim is made that this malware is currently active, present in any environment, or detectable by any specific control.
Gold Dragon
Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1685 | Disable or Modify Tools | Gold Dragon terminates anti-malware processes if they’re found running on the system.CitationMcAfee Gold Dragon |
| Enterprise | T1070.004 | File Deletion Sub-technique | Gold Dragon deletes one of its files, 2.hwp, from the endpoint after establishing persistence.CitationMcAfee Gold Dragon |
| Enterprise | T1033 | System Owner/User Discovery | Gold Dragon collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server.CitationMcAfee Gold Dragon |
| Enterprise | T1105 | Ingress Tool Transfer | Gold Dragon can download additional components from the C2 server.CitationMcAfee Gold Dragon |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Gold Dragon stores information gathered from the endpoint in a file named 1.hwp.CitationMcAfee Gold Dragon |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Gold Dragon establishes persistence in the Startup folder.CitationMcAfee Gold Dragon |
| Enterprise | T1560 | Archive Collected Data | Gold Dragon encrypts data using Base64 before being sent to the command and control server.CitationMcAfee Gold Dragon |
| Enterprise | T1057 | Process Discovery | Gold Dragon checks the running processes on the victim’s machine.CitationMcAfee Gold Dragon |
| Enterprise | T1083 | File and Directory Discovery | Gold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files.CitationMcAfee Gold Dragon |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Gold Dragon uses cmd.exe to execute commands for discovery.CitationMcAfee Gold Dragon |
| Enterprise | T1082 | System Information Discovery | Gold Dragon collects endpoint information using the |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Gold Dragon uses HTTP for communication to the control servers.CitationMcAfee Gold Dragon |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Gold Dragon checks for anti-malware products and processes.CitationMcAfee Gold Dragon |
| Enterprise | T1012 | Query Registry | Gold Dragon enumerates registry keys with the command |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 9dd26ce86b12… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
McAfee Gold Dragon
Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
Open source URL -
[2]
Gold Dragon
(Citation: McAfee Gold Dragon)
-
[3]
mitre-attack S0249Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.