McAfee ATR found Gold Dragon, Brave Prince, Ghost419, and Running Rat implants used alongside the 2018 Olympics-themed intrusion activity to establish persistence, profile victims, and enable continued data theft or follow-on access. Gold Dragon acted as a reconnaissance and downloader implant: it collected desktop, recent-file, program-folder, system, registry, and user-profile data, encrypted the results, and posted them to ink.inkboom.co.kr while also requesting next-stage payloads by computer name and username. The malware used Korean-specific tradecraft, including checking for the Hangul Word Processor process, extracting an embedded executable from an HWP file marker, and writing viso.exe into the user Startup folder for persistence. Infrastructure and overlap with earlier implants included ink.inkboom.co.kr, nid-help-pchange.atwebpages.com, and code/behavior shared with Brave Prince and Ghost419, while later activity reused hacked servers in Santiago, Chile. The activity matters because it shows the Olympics intrusion moving beyond initial PowerShell staging into durable endpoint access, victim profiling, and modular payload delivery.