Skip to content

S0252 Brave Prince

Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. 1

Item Value
ID S0252
Associated Names
Version 1.2
Created 17 October 2018
Last Modified 11 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Some Brave Prince variants have used South Korea’s Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command.1
enterprise T1083 File and Directory Discovery Brave Prince gathers file and directory information from the victim’s machine.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Brave Prince terminates antimalware processes.1
enterprise T1057 Process Discovery Brave Prince lists the running processes.1
enterprise T1012 Query Registry Brave Prince gathers information about the Registry.1
enterprise T1082 System Information Discovery Brave Prince collects hard drive content and system configuration information.1
enterprise T1016 System Network Configuration Discovery Brave Prince gathers network configuration information as well as the ARP cache.1

Groups That Use This Software

ID Name References
G0094 Kimsuky 2