S0252: Brave Prince
Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. [1]
Analyst context for executives and security teams
Brave Prince matters because ATT&CK describes it as a Windows Korean-language implant associated in reporting with operations around the 2018 Pyeongchang Winter Olympics and with behavioral overlap to other malware. For leaders, the practical issue is not the malware name alone; it is whether Windows endpoint, network egress, and security-tool health monitoring can show discovery activity, possible unencrypted exfiltration, and defense impairment if a similar implant appears in the environment.
Executive priority
Prioritize validation of Windows endpoint visibility and incident response readiness for discovery-heavy malware behavior. The supplied relationships connect Brave Prince to registry, process, system, network, file, and directory discovery, plus exfiltration over unencrypted non-C2 protocols and disabling or modifying tools. This makes it relevant to business continuity, audit evidence, and SOC readiness: leaders should ask whether teams can prove what hosts were enumerated, what data paths were used, and whether defensive tools remained operational during an incident.
Technical view
ATT&CK lists Brave Prince as Windows malware and provides no official detection text. Detection engineering should therefore pivot from the malware family name to the mapped behaviors: Query Registry, System Network Configuration Discovery, Process Discovery, System Information Discovery, File and Directory Discovery, Exfiltration Over Unencrypted Non-C2 Protocol, and Disable or Modify Tools. SOC and IR teams should validate host telemetry for registry queries, process enumeration, system and network configuration commands or API activity, broad file-system enumeration, unusual cleartext outbound transfer patterns, and changes to security tooling, services, agents, or logging configuration. Relationship context notes Kimsuky uses this object, but local triage should not assume attribution without corroborating evidence.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows Registry access or modification telemetry where available
- Endpoint file and directory enumeration signals
- Host network connection metadata and proxy/firewall logs for outbound cleartext protocols
- DNS, HTTP, FTP, or other unencrypted egress evidence where collected
Detection direction
- Build detections around behavior clusters rather than the Brave Prince name alone, especially discovery activity followed by outbound transfer or security-tool impairment.
- Tune for sequences of registry, process, system, network, and file discovery on Windows hosts, while accounting for legitimate administration and software inventory activity.
- Review egress monitoring for unencrypted non-C2 transfer patterns, unusual destinations, or unexpected protocols from endpoints; avoid assuming content visibility where encryption or logging gaps exist.
- Validate alerts for stopping, disabling, reconfiguring, or degrading endpoint security and logging tools, because defense impairment can remove the evidence needed for later investigation.
- Use the Kimsuky relationship as threat-intelligence context only; do not convert it into attribution without additional evidence from the environment.
Mitigation priorities
- First, ensure Windows endpoint logging, EDR, and security-tool health monitoring are consistently deployed and retained.
- Next, restrict and monitor unnecessary outbound unencrypted protocols from endpoints, with exceptions documented for business-approved use.
- Harden endpoint security tooling against tampering and alert on service, configuration, or update failures.
- Prepare IR playbooks that collect host discovery artifacts, network egress logs, and security-tool status before evidence is overwritten.
- Use the mapped ATT&CK techniques to test control coverage and produce compliance-ready evidence of monitoring, egress control, and endpoint protection resilience.
Analyst notes and limits
The ATT&CK object identifies Brave Prince as a Korean-language Windows implant first observed in December 2017 and reported in operations surrounding the 2018 Pyeongchang Winter Olympics alongside Gold Dragon and RunningRAT. The relationship context includes use by Kimsuky and several mapped techniques, mostly discovery-related, with exfiltration and defense-impairment relevance. This take intentionally focuses on defensive validation rather than malware-specific indicators because no official detection guidance was supplied.
MITRE supplied no official detection text, no aliases, no explicit tactics on the malware object, and no indicators of compromise in the provided fields. Some related technique platform lists are broader than the Brave Prince object; this summary treats Brave Prince itself as Windows-supported based on the supplied platform field. Local telemetry, asset criticality, and incident evidence are required to determine exposure or coverage.
Brave Prince
Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | Brave Prince collects hard drive content and system configuration information.CitationMcAfee Gold Dragon |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | Some Brave Prince variants have used South Korea's Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command.CitationMcAfee Gold Dragon |
| Enterprise | T1057 | Process Discovery | Brave Prince lists the running processes.CitationMcAfee Gold Dragon |
| Enterprise | T1685 | Disable or Modify Tools | Brave Prince terminates antimalware processes.CitationMcAfee Gold Dragon |
| Enterprise | T1083 | File and Directory Discovery | Brave Prince gathers file and directory information from the victim’s machine.CitationMcAfee Gold Dragon |
| Enterprise | T1012 | Query Registry | Brave Prince gathers information about the Registry.CitationMcAfee Gold Dragon |
| Enterprise | T1016 | System Network Configuration Discovery | Brave Prince gathers network configuration information as well as the ARP cache.CitationMcAfee Gold Dragon |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 9334110aced1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
McAfee Gold Dragon
Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
Open source URL -
[2]
Brave Prince
(Citation: McAfee Gold Dragon)
-
[3]
mitre-attack S0252Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.