{ "id": "ce9fb9af-8931-4fda-86fa-94631602d70f", "created_at": "2026-04-06T00:09:10.413232Z", "updated_at": "2026-04-10T13:12:50.377355Z", "deleted_at": null, "sha1_hash": "64203f95339f24c2032d29a5fc26d953a63e94f7", "title": "HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 81162, "plain_text": "HIDDEN COBRA – North Korean Remote Administration Tool:\r\nFALLCHILL | CISA\r\nPublished: 2017-11-22 · Archived: 2026-04-05 15:24:06 UTC\r\nSystems Affected\r\nNetwork systems\r\nOverview\r\nThis joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security\r\n(DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI\r\nidentified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote\r\nadministration tool (RAT) used by the North Korean government—commonly known as FALLCHILL. The U.S.\r\nGovernment refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more\r\ninformation on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.\r\nFBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files\r\n—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing\r\nthese IP addresses to enable network defense and reduce exposure to any North Korean government malicious\r\ncyber activity.\r\nThis alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with FALLCHILL\r\nmalware, malware descriptions, and associated signatures. This alert also includes suggested response actions to\r\nthe IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or\r\nadministrators detect activity associated with the FALLCHILL malware, they should immediately flag it, report it\r\nto the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch\r\n(CyWatch), and give it the highest priority for enhanced mitigation.\r\nFor a downloadable copy of IOCs, see:\r\nIOCs (.csv)\r\nIOCs (.stix)\r\nNCCIC conducted analysis on two samples of FALLCHILL malware and produced a Malware Analysis Report\r\n(MAR). MAR-10135536-A examines the tactics, techniques, and procedures observed in the malware. For a\r\ndownloadable copy of the MAR, see:\r\nMAR (.pdf)\r\nMAR IOCs (.stix)\r\nAccording to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware\r\nsince 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-318A\r\nPage 1 of 5\n\nRAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s\r\nsystem via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA\r\nmalware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA\r\nactors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service\r\nto establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems\r\ncompromised with FALLCHILL.\r\nDuring analysis of the infrastructure used by FALLCHILL malware, the U.S. Government identified 83 network\r\nnodes. Additionally, using publicly available registration information, the U.S. Government identified the\r\ncountries in which the infected IP addresses are registered.\r\nTechnical Details\r\nFALLCHILL is the primary component of a C2 infrastructure that uses multiple proxies to obfuscate network\r\ntraffic between HIDDEN COBRA actors and a victim’s system. According to trusted third-party reporting,\r\ncommunication flows from the victim’s system to HIDDEN COBRA actors using a series of proxies as shown in\r\nfigure 1.\r\nFigure 1. HIDDEN COBRA Communication Flow\r\nFALLCHILL uses fake Transport Layer Security (TLS) communications, encoding the data with RC4 encryption\r\nwith the following key: [0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82]. FALLCHILL collects basic system\r\ninformation and beacons the following to the C2:\r\noperating system (OS) version information,\r\nprocessor information,\r\nsystem name,\r\nlocal IP address information,\r\nunique generated ID, and\r\nmedia access control (MAC) address.\r\nFALLCHILL contains the following built-in functions for remote operations that provide various capabilities on a\r\nvictim’s system:\r\nretrieve information about all installed disks, including the disk type and the amount of free space on the\r\ndisk;\r\ncreate, start, and terminate a new process and its primary thread;\r\nsearch, read, write, move, and execute files;\r\nget and modify file or directory timestamps;\r\nchange the current directory for a process or file; and\r\ndelete malware and artifacts associated with the malware from the infected system.\r\nDetection and Response\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-318A\r\nPage 2 of 5\n\nThis alert’s IOC files provide HIDDEN COBRA indicators related to FALLCHILL. DHS and FBI recommend\r\nthat network administrators review the information provided, identify whether any of the provided IP addresses\r\nfall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the\r\nmalware.\r\nWhen reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP\r\naddresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system\r\nowners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.\r\nNetwork Signatures and Host-Based Rules\r\nThis section contains network signatures and host-based rules that can be used to detect malicious activity\r\nassociated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility\r\nof false positives always remains. These signatures and rules should be used to supplement analysis and should\r\nnot be used as a sole source of attributing this activity to HIDDEN COBRA actors.\r\nNetwork Signatures\r\nalert tcp any any -\u003e any any (msg:\"Malicious SSL 01 Detected\";content:\"|17 03 01 00 08|\";\r\npcre:\"/\\x17\\x03\\x01\\x00\\x08.{4}\\x04\\x88\\x4d\\x76/\"; rev:1; sid:2;)\r\n___________________________________________________________________________________________\r\nalert tcp any any -\u003e any any (msg:\"Malicious SSL 02 Detected\";content:\"|17 03 01 00 08|\";\r\npcre:\"/\\x17\\x03\\x01\\x00\\x08.{4}\\x06\\x88\\x4d\\x76/\"; rev:1; sid:3;)\r\n___________________________________________________________________________________________\r\nalert tcp any any -\u003e any any (msg:\"Malicious SSL 03 Detected\";content:\"|17 03 01 00 08|\";\r\npcre:\"/\\x17\\x03\\x01\\x00\\x08.{4}\\xb2\\x63\\x70\\x7b/\"; rev:1; sid:4;)\r\n___________________________________________________________________________________________\r\nalert tcp any any -\u003e any any (msg:\"Malicious SSL 04 Detected\";content:\"|17 03 01 00 08|\";\r\npcre:\"/\\x17\\x03\\x01\\x00\\x08.{4}\\xb0\\x63\\x70\\x7b/\"; rev:1; sid:5;)\r\n___________________________________________________________________________________________\r\nYARA Rules\r\nThe following rules were provided to NCCIC by a trusted third party for the purpose of assisting in the\r\nidentification of malware associated with this alert.\r\nTHIS DHS/NCCIC MATERIAL IS FURNISHED ON AN “AS-IS” BASIS.  These rules have been tested and\r\ndetermined to function effectively in a lab environment, but we have no way of knowing if they may function\r\ndifferently in a production network.  Anyone using these rules are encouraged to test them using a data set\r\nrepresentitive of their environment.\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-318A\r\nPage 3 of 5\n\nrule rc4_stack_key_fallchill\r\n{\r\nmeta:\r\n description = \"rc4_stack_key\"\r\nstrings:\r\n $stack_key = { 0d 06 09 2a ?? ?? ?? ?? 86 48 86 f7 ?? ?? ?? ?? 0d 01 01 01 ?? ?? ?? ?? 05 00 03\r\n82 41 8b c9 41 8b d1 49 8b 40 08 48 ff c2 88 4c 02 ff ff c1 81 f9 00 01 00 00 7c eb }\r\ncondition:\r\n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $stack_key\r\n}\r\nrule success_fail_codes_fallchill\r\n{\r\nmeta:\r\n description = \"success_fail_codes\"\r\nstrings:\r\n $s0 = { 68 7a 34 12 00 } \r\n $s1 = { ba 7a 34 12 00 } \r\n $f0 = { 68 5c 34 12 00 } \r\n $f1 = { ba 5c 34 12 00 }\r\ncondition:\r\n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))\r\n}\r\n___________________________________________________________________________________________\r\nImpact\r\nA successful network intrusion can have severe impacts, particularly if the compromise becomes public and\r\nsensitive information is exposed. Possible impacts include:\r\ntemporary or permanent loss of sensitive or proprietary information,\r\ndisruption to regular operations,\r\nfinancial losses incurred to restore systems and files, and\r\npotential harm to an organization’s reputation.\r\nSolution\r\nMitigation Strategies\r\nDHS recommends that users and administrators use the following best practices as preventive measures to protect\r\ntheir computer networks:\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-318A\r\nPage 4 of 5\n\nUse application whitelisting to help prevent malicious software and unapproved programs from running.\r\nApplication whitelisting is one of the best security strategies as it allows only specified programs to run,\r\nwhile blocking all others, including malicious software.\r\nKeep operating systems and software up-to-date with the latest patches. Vulnerable applications and\r\noperating systems are the target of most attacks. Patching with the latest updates greatly reduces the\r\nnumber of exploitable entry points available to an attacker.\r\nMaintain up-to-date antivirus software, and scan all software downloaded from the Internet before\r\nexecuting.\r\nRestrict users’ abilities (permissions) to install and run unwanted software applications, and apply the\r\nprinciple of “least privilege” to all systems and services. Restricting these privileges may prevent malware\r\nfrom running or limit its capability to spread through the network.\r\nAvoid enabling macros from email attachments. If a user opens the attachment and enables macros,\r\nembedded code will execute the malware on the machine. For enterprises or organizations, it may be best\r\nto block email messages with attachments from suspicious sources. For information on safely handling\r\nemail attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the\r\nweb. See Good Security Habits and Safeguarding Your Data for additional details.\r\nDo not follow unsolicited web links in emails. See Avoiding Social Engineering and Phishing Attacks for\r\nmore information.\r\nResponse to Unauthorized Network Access\r\nContact DHS or your local FBI office immediately. To report an intrusion and request resources for\r\nincident response or technical assistance, contact CISA Central (SayCISA@cisa.dhs.gov or by phone at\r\n1-844-Say-CISA), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-\r\n292-3937).\r\nRevisions\r\nNovember 14, 2017: Initial version\r\nSource: https://www.us-cert.gov/ncas/alerts/TA17-318A\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-318A\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.us-cert.gov/ncas/alerts/TA17-318A" ], "report_names": [ "TA17-318A" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434150, "ts_updated_at": 1775826770, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/64203f95339f24c2032d29a5fc26d953a63e94f7.pdf", "text": "https://archive.orkl.eu/64203f95339f24c2032d29a5fc26d953a63e94f7.txt", "img": "https://archive.orkl.eu/64203f95339f24c2032d29a5fc26d953a63e94f7.jpg" } }