AhnLab’s Black Mine Operation analysis tracks more than 240 Bmdoor samples collected from May 2014 to July 2015 and says the activity targeted South Korean energy, transportation, telecommunications, broadcasting, IT, finance, and political organizations. Bmdoor masqueraded as normal PowerPoint-viewer executables for selected victims, while separate campaigns compromised Korean websites and used local software and Adobe Flash vulnerabilities, including CVE-2014-0515 and CVE-2015-0313, to infect general users. The loader hid encrypted payloads at the end of files in a section beginning with the “BM” string and launched Bmdown downloaders, Bmbot backdoors, or known RATs such as Aryan, DarkComet, Xena, and Xtreme. AhnLab found overlaps with malware, vulnerabilities, and infrastructure associated with the 3.20 DarkSeoul and 6.25 cyber attacks, but states that a definitive link to the same group was not proven.