ENKI’s Korean analysis of the “APT Down - The North Korea Files” leak examines the actor’s VMware workstation and VPS dumps, which contained malware source code, attack tools, stolen data, logs, and phishing infrastructure. The leaked rootkit code matched a rootkit ENKI observed during a 2022 South Korean financial-company incident, and the dump also included a newer 2025 version of the same rootkit/backdoor family. The 2022 syslogk rootkit hides processes, ports, and directories, registers Netfilter hooks, runs the backdoor only after specific magic-packet conditions, and supports encrypted command execution, file transfer, and proxy functions through an operator client. The 2025 version adds callback-delay password checks, configurable callback timing, transfer-rate controls, additional XOR routines, more commands, and expanded Netfilter and hooking behavior. The broader leak also contained an Ivanti 1-day exploit, apparent South Korean government and GPKISecureWebX source code, and phishing evidence aimed at the Public Prosecutor’s Office and Defense Counterintelligence Command, supporting the report’s view of persistent South Korea-focused operations.