Asia-14-Yang-Z-Make-Troy-Not-War-Case-Study-Of-The-Wiper-APT-In-Ko_EYSyNtx.pdf (2 MB)

Fortinet’s slide deck examines the 3.20 Korean wiper attacks and related Operation Troy, Mission, 1Mission, Nstar, Eaglexp, and BS.DLL malware families. The reported impact includes disruption at Shinhan Bank, NongHyup, KBS, MBC, and YTN, with Windows and Linux/Unix wipers, droppers, injectors, and spreaders linked by shared payload traits. The deck highlights common characteristics such as no packing, file mapping objects, time bombs, HTTP-based communication, similar payloads, and development-path artifacts. Several payloads calculate host IDs from registry or MAC data, retrieve encrypted server responses, and support commands such as download and execute, upload, MapFS, registry modification, IRC participation, and MBR/VBR wiping. The material matters because it connects destructive Korean wiper activity with a longer toolset lineage built for both document theft and system disabling.