The leaked “APT Down - The North Korea Files” material exposed a Deepin workstation dump and VPS data containing malware source code, attack tools, exfiltrated material, and phishing infrastructure tied by the authors to activity against South Korea. ENKI found rootkit source code matching a rootkit from its 2022 investigation at a South Korean financial institution, including identical logic and encryption material, plus an updated 2025 version. The tooling includes a syslogk Linux rootkit and companion backdoor that hide processes, ports, and directories, use Netfilter hooks and magic-packet triggering, support command execution, file transfer, and proxying, and mask traffic as common protocols. The leak also contained an Ivanti 1-day exploit, apparent Ministry of Foreign Affairs and GPKISecureWebX source code, and spear-phishing evidence targeting entities such as the Public Prosecutor’s Office and Defense Counterintelligence Command, indicating sustained operations against South Korean government and financial targets.