Home/Threat Actor/DarkSeoul Operators
Threat Actor

DarkSeoul Operators

darkseoul_operators · north_korea · active since 2009-07

DarkSeoul Operators (historical naming era for what subsequently consolidated under Lazarus Group canonical naming following Novetta Operation Blockbuster February 2016 disclosure.

alternative naming "DarkSeoul gang" / "NewRomantic Cyber Army Team" / "WhoIs Team" hacker personas; operationally tracked under campaign names "Operation Troy" [2009-2012], "Ten Days of Rain" [March 2011], "DarkSeoul" [March 20, 2013]) is a DPRK state-aligned cluster active publicly since July 4, 2009, operationally controlled by Bureau 121 of the DPRK Reconnaissance General Bureau (RGB) per Group-IB analysis.

South Korean government formally attributed to Pyongyang April 10, 2013.

operationally operates as the historical-naming-era precursor for the modern DPRK state-aligned cluster ecosystem (Lazarus Group, APT38, Andariel, Kimsuky, APT37, Citrine Sleet, Contagious Interview, Sapphire Sleet, Moonstone Sleet, all curated separately in this corpus for their modern operational identities)

signature operational campaigns include Operation Troy (July 4, 2009 emergence with Mydoom + Dozer DDoS + "Memory of the Independence Day" MBR overwrite + sustained 2009-2012 campaign), Ten Days of Rain (March 2011 sophisticated DDoS from compromised South-Korean- internal systems + US military facilities targeting), March 20, 2013 DarkSeoul signature wiper attack (coordinated wiper deployment against KBS + MBC + YTN broadcasters + Shinhan Bank + NongHyup Bank + Jeju Bank + ISP simultaneously, tens of thousands of systems rendered unusable, ATMs offline, newsrooms dark, Jokra + Fimlis wipers, 180,000 PCs claimed destroyed by NewRomantic Cyber Army Team persona), June 25, 2013 Korean War anniversary attacks (Cheongwadae presidential office defacement with Kim Jong-un political messaging)

signature operational tradecraft includes destructive wiper malware deployment (Jokra + Fimlis variants), hacker persona-based deniability claiming, Korean War anniversary timing, Chinese IP routing for operational obfuscation, MBR overwrite political messaging, coordinated multi-target simultaneous wiper deployment.

canonical multi-vendor disclosures include McAfee Operation Troy Dissection July 8, 2013, Symantec Four Years of DarkSeoul Cyberattacks June 2013, Dell SecureWorks Wiper Malware Analysis March 2013, Kaspersky South Korean WhoIs Team Attacks March 2013, Novetta Operation Blockbuster February 2016 Lazarus consolidation; fills historical DPRK-naming-era cluster cell in the curated corpus as foundational bridge between earlier DPRK opportunistic-DDoS-and-defacement operations and modern sophisticated DPRK state-aligned cluster ecosystem.

north_korea confidence: high 21 aliases
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited0

Profile

DarkSeoul Operators (historical naming era for what subsequently consolidated under Lazarus Group canonical naming following Novetta Operation Blockbuster February 2016 disclosure.

alternative naming "DarkSeoul gang" / "NewRomantic Cyber Army Team" / "WhoIs Team" hacker personas; operationally tracked under campaign names "Operation Troy" [2009-2012], "Ten Days of Rain" [March 2011], "DarkSeoul" [March 20, 2013]) is a Democratic People's Republic of Korea (DPRK) state-aligned cluster active publicly since July 4, 2009. The cluster operates as the historical- naming-era precursor for the modern DPRK state-aligned cluster ecosystem (Lazarus Group, APT38, Andariel, Kimsuky, APT37, Citrine Sleet, Contagious Interview, Sapphire Sleet, Moonstone Sleet, all curated separately in this corpus for their modern operational identities). DPRK attribution operationally established by South Korean government formal April 10, 2013 attribution. Operationally controlled by Bureau 121 of the DPRK Reconnaissance General Bureau (RGB) per Group-IB analysis, Bureau 121 is the DPRK intelligence division responsible for conducting military cyber campaigns. Operational phases: (1) OPERATION TROY OPERATIONAL EMERGENCE (July 4, 2009). First major hacking incident, Mydoom + Dozer DDoS attack against US and South Korean websites. MBR overwrite with "Memory of the Independence Day" string. (2) OPERATION TROY SUSTAINED CAMPAIGN (2009-2012). Continued cyber-espionage campaign with unsophisticated DDoS targeting South Korean government Seoul. (3) TEN DAYS OF RAIN (March 2011). Operational tradecraft evolution, sophisticated DDoS originating from compromised South-Korean-internal computers, targeting South Korean media + financial + critical infrastructure + US military facilities. (4) DARKSEOUL MARCH 20, 2013 SIGNATURE WIPER ATTACK. Coordinated wiper cyber attack on KBS + MBC + YTN broadcasters + Shinhan Bank + NongHyup Bank + Jeju Bank financial institutions + ISP. Tens of thousands of systems rendered unusable.

ATMs offline.

newsrooms dark. Jokra + Fimlis wiper malware deployment. NewRomantic Cyber Army Team + WhoIs Team hacker personas claimed responsibility with claim of 180,000 PCs destroyed. (5) SOUTH KOREAN GOVERNMENT FORMAL ATTRIBUTION (April 10, 2013). DPRK link formally confirmed by South Korean government. (6) JUNE 25, 2013 KOREAN WAR ANNIVERSARY ATTACKS. Cheongwadae (South Korean Presidential Office) defacement with Kim Jong-un political messaging. Signature anniversary-timing tradecraft established. (7) MCAFEE OPERATION TROY DISSECTION (July 8, 2013). McAfee Labs canonical disclosure. Symantec + Dell SecureWorks + Kaspersky + AhnLab + Trend Micro multi-vendor March-July 2013 disclosures. (8) LAZARUS GROUP CONSOLIDATION ERA (2014-2016). November 2014 Sony Pictures Entertainment attack (Guardians of Peace persona) + Novetta Operation Blockbuster February 2016 multi-vendor disclosure consolidated DarkSeoul + Sony + adjacent operations under unified Lazarus Group canonical naming.

Signature operational tradecraft
  • Destructive wiper malware deployment: Jokra + Fimlis wiper variants with disk content + structure wipe + MBR overwrite operations. Operationally first major DPRK- attributed destructive cyber operation against critical economic infrastructure.
  • Hacker persona-based operational identity claiming: NewRomantic Cyber Army Team + WhoIs Team personas claimed responsibility for March 2013 attacks, operationally consistent with DPRK use of hacker-persona deniability tradecraft.
  • Korean War anniversary timing tradecraft: June 25 anniversary + July 4 Independence Day signature operational timing for destructive operations and defacement attacks.
  • Chinese IP routing for operational obfuscation: South Korean officials linked March 2013 attacks to Chinese IP addresses operationally consistent with DPRK Chinese- routing infrastructure tradecraft.
  • MBR overwrite messaging tradecraft: signature post- destruction political messaging in destroyed system MBR (e.g., "Memory of the Independence Day" July 4, 2009).
  • Coordinated multi-target wiper deployment: signature simultaneous-coordinated-attack tradecraft against multiple South Korean organizations (3 broadcasters + 3 banks + ISP simultaneously March 20, 2013).
  • Government website defacement with DPRK leadership messaging: signature Cheongwadae homepage defacement with Kim Jong-un political messaging (June 25, 2013).
  • Bridge tradecraft from DDoS to destructive operations: cluster's operational evolution from 2009 Operation Troy unsophisticated DDoS through 2011 Ten Days of Rain sophisticated DDoS to 2013 DarkSeoul destructive wiper attacks operationally demonstrated DPRK cyber capability maturation. The cluster fills the historical DPRK-naming-era cluster cell in this curated corpus, operationally distinct from the modern 9 DPRK-aligned clusters already curated as the foundational historical naming era. Subsequent industry consensus consolidated DarkSeoul operations under the modern Lazarus Group canonical naming, but the DarkSeoul- era cluster identity remains operationally significant as (a) the bridge between earlier DPRK opportunistic-DDoS-and- defacement operations and the modern sophisticated state- aligned DPRK cyber operations ecosystem; (b) the originator of signature destructive-cyber-against-South-Korean-critical- infrastructure tradecraft subsequently refined under Lazarus Group canonical naming.

Aliases

21
darkseouldark seouldarkseoul gangdarkseoul groupdarkseoul_operatorsnewromantic cyber army teamnewromanic cyber army teamnewromanticcyberarmyteamwhois teamwhoisteamoperation troyoperationtroyten days of raintendaysofrain10 days of raintrojan.castov3rat trojanjokrafimlisdarkseoul_aptdarkseoul dprk

Notable Campaigns

8
2014-2016Post-2013 Operational Consolidation Under Lazarus Group Canonical Naming (2014-2016)
2013-PresentContinued Korean War Anniversary-Themed Operations Tradecraft (Post-2013)
2013DarkSeoul March 20, 2013 Wiper Attack (Signature Operation)
2013South Korean Government Formal Attribution to DPRK (April 10, 2013)
2013June 25, 2013 Korean War Anniversary Attacks (Signature Anniversary-Themed Operation)
2013McAfee Operation Troy Dissection Analysis (July 8, 2013)
2011Ten Days of Rain Operational Campaign (March 2011)
2009Operation Troy Operational Emergence (July 4, 2009)

Attribution & Reporting

Attributed by
McAfee LabsRyan Sherstobitoff (McAfee researcher who identified 3RAT)Dell SecureWorks Counter Threat UnitSymantec Security ResponseKaspersky GReATTrend MicroNovetta (Operation Blockbuster February 2016)AhnLab ASEC Threat Research & ResponseSouth Korean Communications CommissionSouth Korean government formal attributionGroup-IB (LAZARUS ARISEN analysis)38 North (Stimson Center)MandiantCrowdStrikeMicrosoft Threat Intelligence CenterSANS Institute (GIAC paper "Tracing the Lineage of DarkSeoul")
Key reporting
reportMcAfee Labs (Ryan Sherstobitoff, Itai Liba, James Walter): Dissecting Operation Troy, Domestic Intelligence Gathering (July 8, 2013), canonical McAfee-side DarkSeoul + 3RAT disclosure
reportSymantec Security Response: Four Years of DarkSeoul Cyberattacks Against South Korea Continue on the Anniversary of Korean War (June 26, 2013), canonical Symantec-side DarkSeoul tradecraft disclosure
reportDell SecureWorks Counter Threat Unit: Wiper Malware Analysis Attacking Financial Sector (March 21, 2013)
reportKaspersky GReAT: South Korean WhoIs Team Attacks (Securelist, March 20, 2013)
reportAhnLab ASEC Threat Research & Response: Major broadcasters and bank computer network failure caused malware analysis (March 21, 2013)
reportTrend Micro: How Deep Discovery Protected Against The Korean Cyber Attack (March 21, 2013)
reportNovetta + Multi-Vendor Coalition: Operation Blockbuster (February 2016), canonical Lazarus Group consolidation incorporating DarkSeoul historical era
reportGroup-IB: LAZARUS ARISEN (May 2017), canonical Lazarus / DarkSeoul / Bureau 121 / RGB operational analysis
report38 North (Stimson Center): From Digital Kleptocracy to Rogue Crypto-Superpower (January 2026), DPRK cyber operations historical context
reportSANS Institute / GIAC: Tracing the Lineage of DarkSeoul (paper #31524), academic-grade DarkSeoul historical analysis
reportSouth Korean Government: April 10, 2013 Formal Pyongyang Attribution
reportSouth Korean Communications Commission: Cyber-Attack Alert Level Tracking (March 20, 2013)
reportMandiant: DPRK State-Aligned Historical Cluster Tracking
reportCrowdStrike Global Threat Report: DPRK Historical Cluster Tracking
reportMicrosoft Threat Intelligence: DPRK State-Aligned Cluster Tracking (historical era)
reportMITRE ATT&CK Group G0032, Lazarus Group (incorporates DarkSeoul historical era)
reportMalpedia Actor Profile: DarkSeoul

Operational

State sponsor

Democratic People's Republic of Korea (DPRK) state-aligned cluster, Bureau 121 of the DPRK Reconnaissance General Bureau (RGB) per multiple analyst assessments. The DarkSeoul cluster identity operates as the historical-naming-era precursor for what was subsequently consolidated under "Lazarus Group" canonical naming following Novetta's Operation Blockbuster February 2016 multi-vendor disclosure and McAfee's "Dissecting Operation Troy" July 2013 analysis. The DPRK-aligned attribution is operationally supported by multiple convergent evidence streams: (a) South Korean government formal attribution: Per Lee Minji (April 10, 2013): South Korean government formally confirmed Pyongyang link to the March 2013 cyber attacks. The South Korean government attribution operationally established formal state-level attribution of DarkSeoul to DPRK. (b) Chinese IP address operational use: Per Wikipedia coverage of the 2013 South Korea cyber attack: "South Korean officials linked the incident to a Chinese IP address, which increased suspicion of North Korea", operationally consistent with DPRK use of Chinese-routing infrastructure for operational obfuscation. (c) Anti-South-Korean operational pattern: signature March 20, 2013 attack timing coincided with Korean War-era anniversary themes and elevated post-nuclear-test (February 12, 2013) tensions between the two Koreas, operationally consistent with DPRK strategic operational priorities. (d) Operational lineage consolidation under Lazarus: per Novetta Operation Blockbuster (February 2016) and subsequent industry consensus, DarkSeoul / Operation Troy / Ten Days of Rain operations were consolidated under "Lazarus Group" canonical naming as the unified DPRK state-aligned cluster identity. Per Group-IB: "The Lazarus (aka DarkSeoul group) is allegedly controlled by Bureau 121, a division of the Reconnaissance General Bureau, a North Korean intelligence agency. Bureau 121 is responsible for conducting military cyber campaigns." (e) Operational continuity with modern DPRK clusters: Per 38 North January 2026 analysis: "These early episodes seeded the concepts and infrastructure later refined under labels like Lazarus Group, APT38, and Kimsuky." DarkSeoul operations are operationally documented as the historical foundation for the modern DPRK cyber operations ecosystem. The cluster fills the historical DPRK-naming-era cluster cell in this curated corpus, operationally distinct from the modern Lazarus Group / Andariel / APT37 / APT38 / Kimsuky / Citrine Sleet / Contagious Interview / Sapphire Sleet / Moonstone Sleet cluster identities (all curated separately for their modern operational identities). The DarkSeoul-era cluster identity is operationally significant because: (a) it represents the bridge between earlier DPRK opportunistic-DDoS-and-defacement operations and the modern sophisticated state-aligned DPRK cyber operations ecosystem; (b) the March 20, 2013 wiper attacks represented "the first major destructive cyber attack against critical economic infrastructure executed via code rather than artillery" per 38 North analysis.

(c) the DarkSeoul-era operations established the operational pattern of destructive cyber operations against South Korean critical infrastructure that subsequent DPRK clusters operationally refined.

Motivations
dprk_state_aligned_destructive_cyber_operations_against_south_korea, south_korean_critical_infrastructure_disruption, south_korean_financial_institution_destructive_operations, south_korean_broadcasting_disruption, dprk_political_messaging_via_destructive_cyber, early_dprk_cyber_capability_development_and_demonstration, korean_war_anniversary_themed_political_messaging
Sectors
banks_south_koreafinancial_institutions_south_koreabroadcasting_companies_south_koreamedia_companies_south_koreainternet_service_providers_south_koreagovernment_administration_south_koreagovernment_websites_south_koreacritical_infrastructure_south_koreaunited_states_government_websitesus_military_facilities
Regions
south_koreaunited_states

Techniques Used

60
T1003T1003.001T1005T1010T1016T1018T1020T1021T1021.001T1021.002T1027T1027.001T1027.002T1033T1036T1036.005T1039T1041T1048T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1068T1070T1070.004T1071T1071.001T1074T1078T1082T1083T1090T1095T1106T1129T1140T1190T1204T1204.001T1204.002T1213T1218T1485T1486T1489T1490T1491T1491.002T1495T1498T1498.001T1499T1543T1543.003T1547

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)57/60 · 95%
Analytics (MITRE CAR)30/60 · 50%
Runtime / container (Falco)9/60 · 15%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)18/60 · 30%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MBR OVERWRITE MEMORY OF THE INDEPENDENCE DAY STRINGMYDOOM
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin