Symantec observed the Gongda exploit kit, which was mainly targeting South Korea, delivering Castov malware against specific South Korean financial companies and their customers. The initial Delphi-compiled stage can stop antivirus software, report the infection to a C&C server, and download an encrypted second-stage infostealer. Castov checks Korean online banking and security-related DLLs at specific offsets, patches instructions, and injects code to capture likely passwords, account details, and transaction data before sending it to a remote server. It also collects digital certificates from the NPKI directory, a high-value target in South Korea because those certificates are widely used for banking, credit card, insurance, and other financial services. The combination of screenshots, credentials, and certificates could enable account access and fraud against affected users.