South Korean police attributed a February compromise of domestic conglomerate networks to North Korea, reporting that more than 130,000 computers were infected with the “Ghost Rat” malware. TachyonLab analyzed a sample named zegost.exe, describing it as a Gh0st RAT variant that copies itself under the Windows directory, persists through a scheduled task, and runs its main malicious logic from an in-memory DLL. The malware contacts blocked C2 servers, sends infected host details, logs keystrokes with active-window context, downloads additional executables from the same infrastructure, collects browser favorites, records microphone audio, steals remote-connection data, controls remote sessions, installs drivers, and interferes with security products. The driver-installation and broad remote-control capabilities make the backdoor significant for APT operations because they can support long-term access, follow-on payload delivery, surveillance, and deeper compromise of enterprise networks.