South Korean financial institutions, broadcasters, media sites, and North Korea-related organizations were hit by destructive malware and website defacements beginning around 14:00 on March 20, 2013. The malware family used droppers and downloaders that installed payloads from temporary and system paths, including AgentBase.exe, v3servc.exe, shellservice.exe, themeservics.exe, LGservc.exe, and xupdate.exe. Multiple variants destroyed the MBR and data files, used strings such as HASTATI, PRINCPES, or PR!NCPES, created a FileMapping object to prevent duplicate execution, and attempted to terminate specific South Korean security products. Later delivery activity abused compromised Korean websites and fake image files such as paper.gif, mb_join.gif, update-themed GIFs, and logo.jpg to stage additional executable payloads, showing an evolving destructive campaign against South Korean targets.