Operation GoldenAxe described suspected North Korean watering-hole activity from June 2016 to May 2017 that compromised more than ten South Korean organization websites tied to diplomacy, aviation, North Korea affairs, unification, parliament, labor, and finance. The attackers abused compromised association and institutional websites to exploit zero-day vulnerabilities in widely deployed South Korean ActiveX software, delivering malware for remote control, information theft, and additional payloads, with encryption logic, protocol elements, and C2 command overlap with malware previously attributed by South Korean authorities to North Korea; FSI’s Rifle reporting separately preserved Andariel-linked context for the MAYDAY activity set.