{ "id": "39074605-6dcd-4d54-8b1e-6159a88d6bf1", "created_at": "2026-04-06T00:20:55.211517Z", "updated_at": "2026-04-10T03:38:20.578638Z", "deleted_at": null, "sha1_hash": "68e9b768ef32e6bc4043bc92a19cf93fc8f7505b", "title": "HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66175, "plain_text": "HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server\r\nMessage Block Worm | CISA\r\nPublished: 2018-05-31 · Archived: 2026-04-05 15:26:33 UTC\r\nSystems Affected\r\nNetwork systems\r\nOverview\r\nThis joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security\r\n(DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI\r\nidentified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with two families\r\nof malware used by the North Korean government:\r\na remote access tool (RAT), commonly known as Joanap; and\r\na Server Message Block (SMB) worm, commonly known as Brambul.\r\nThe U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.\r\nFor more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.\r\nFBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files\r\n—to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing\r\nthese IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean\r\ngovernment malicious cyber activity.\r\nThis alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques,\r\nand information on how to report incidents. If users or administrators detect activity associated with these\r\nmalware families, they should immediately flag it, report it to the DHS National Cybersecurity and\r\nCommunications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority\r\nfor enhanced mitigation.\r\nSee the following links for a downloadable copy of IOCs:\r\nIOCs (.csv)\r\nIOCs (.stix)\r\nNCCIC conducted analysis on four malware samples and produced a Malware Analysis Report (MAR). MAR-10135536.3 – RAT/Worm examines the tactics, techniques, and procedures observed in the malware. Visit MAR-10135536.3 – HIDDEN COBRA RAT/Worm for the report and associated IOCs.\r\nAccording to reporting of trusted third parties, HIDDEN COBRA actors have likely been using both Joanap and\r\nBrambul malware since at least 2009 to target multiple victims globally and in the United States—including the\r\nhttps://www.us-cert.gov/ncas/alerts/TA18-149A\r\nPage 1 of 5\n\nmedia, aerospace, financial, and critical infrastructure sectors. Users and administrators should review the\r\ninformation related to Joanap and Brambul from the Operation Blockbuster Destructive Malware Report [1] in\r\nconjunction with the IP addresses listed in the .csv and .stix files provided within this alert. Like many of the\r\nfamilies of malware used by HIDDEN COBRA actors, Joanap, Brambul, and other previously reported custom\r\nmalware tools, may be found on compromised network nodes. Each malware tool has different purposes and\r\nfunctionalities.\r\nJoanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by\r\nHIDDEN COBRA actors remotely from a command and control server. Joanap typically infects a system as a file\r\ndropped by other HIDDEN COBRA malware, which users unknowingly downloaded either when they visit sites\r\ncompromised by HIDDEN COBRA actors, or when they open malicious email attachments.\r\nDuring analysis of the infrastructure used by Joanap malware, the U.S. Government identified 87 compromised\r\nnetwork nodes. The countries in which the infected IP addresses are registered are as follows:\r\nArgentina\r\nBelgium\r\nBrazil\r\nCambodia\r\nChina\r\nColombia\r\nEgypt\r\nIndia\r\nIran\r\nJordan\r\nPakistan\r\nSaudi Arabia\r\nSpain\r\nSri Lanka\r\nSweden\r\nTaiwan\r\nTunisia\r\nMalware often infects servers and systems without the knowledge of system users and owners. If the malware can\r\nestablish persistence, it could move laterally through a victim’s network and any connected networks to infect\r\nnodes beyond those identified in this alert.\r\nBrambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared\r\naccess to files between users on a network. Brambul malware typically spreads by using a list of hard-coded login\r\ncredentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.\r\nTechnical Details\r\nJoanap\r\nJoanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to\r\nenable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop\r\nand run secondary payloads, and initialize proxy communications on a compromised Windows device. Other\r\nnotable functions include\r\nfile management,\r\nprocess management,\r\ncreation and deletion of directories, and\r\nnode management.\r\nhttps://www.us-cert.gov/ncas/alerts/TA18-149A\r\nPage 2 of 5\n\nAnalysis indicates the malware encodes data using Rivest Cipher 4 encryption to protect its communication with\r\nHIDDEN COBRA actors. Once installed, the malware creates a log entry within the Windows System Directory\r\nin a file named mssscardprv.ax. HIDDEN COBRA actors use this file to capture and store victims’ information\r\nsuch as the host IP address, host name, and the current system time.\r\nBrambul\r\nBrambul malware is a malicious Windows 32-bit SMB worm that functions as a service dynamic link library file\r\nor a portable executable file often dropped and installed onto victims’ networks by dropper malware. When\r\nexecuted, the malware attempts to establish contact with victim systems and IP addresses on victims’ local\r\nsubnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and\r\n445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware\r\ngenerates random IP addresses for further attacks.\r\nAnalysts suspect the malware targets insecure or unsecured user accounts and spreads through poorly secured\r\nnetwork shares. Once the malware establishes unauthorized access on the victim’s systems, it communicates\r\ninformation about victim’s systems to HIDDEN COBRA actors using malicious email addresses. This information\r\nincludes the IP address and host name—as well as the username and password—of each victim’s system.\r\nHIDDEN COBRA actors can use this information to remotely access a compromised system via the SMB\r\nprotocol.\r\nAnalysis of a newer variant of Brambul malware identified the following built-in functions for remote operations:\r\nharvesting system information,\r\naccepting command-line arguments,\r\ngenerating and executing a suicide script,\r\npropagating across the network using SMB,\r\nbrute forcing SMB login credentials, and\r\ngenerating Simple Mail Transport Protocol email messages containing target host system information.\r\nDetection and Response\r\nThis alert’s IOC files provide HIDDEN COBRA IOCs related to Joanap and Brambul. DHS and FBI recommend\r\nthat network administrators review the information provided, identify whether any of the provided IP addresses\r\nfall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the\r\nmalware.\r\nWhen reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP\r\naddresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system\r\nowners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.\r\nImpact\r\nA successful network intrusion can have severe impacts, particularly if the compromise becomes public. Possible\r\nimpacts include\r\nhttps://www.us-cert.gov/ncas/alerts/TA18-149A\r\nPage 3 of 5\n\ntemporary or permanent loss of sensitive or proprietary information,\r\ndisruption to regular operations,\r\nfinancial losses incurred to restore systems and files, and\r\npotential harm to an organization’s reputation.\r\nSolution\r\nMitigation Strategies\r\nDHS recommends that users and administrators use the following best practices as preventive measures to protect\r\ntheir computer networks:\r\nKeep operating systems and software up-to-date with the latest patches. Most attacks target vulnerable\r\napplications and operating systems. Patching with the latest updates greatly reduces the number of\r\nexploitable entry points available to an attacker.\r\nMaintain up-to-date antivirus software, and scan all software downloaded from the internet before\r\nexecuting.\r\nRestrict users’ abilities (permissions) to install and run unwanted software applications, and apply the\r\nprinciple of least privilege to all systems and services. Restricting these privileges may prevent malware\r\nfrom running or limit its capability to spread through the network.\r\nScan for and remove suspicious email attachments. If a user opens a malicious attachment and enables\r\nmacros, embedded code will execute the malware on the machine. Enterprises and organizations should\r\nconsider blocking email messages from suspicious sources that contain attachments. For information on\r\nsafely handling email attachments, see Using Caution with Email Attachments. Follow safe practices when\r\nbrowsing the web. See Good Security Habits and Safeguarding Your Data for additional details.\r\nDisable Microsoft’s File and Printer Sharing service, if not required by the user’s organization. If this\r\nservice is required, use strong passwords or Active Directory authentication. See Choosing and Protecting\r\nPasswords for more information on creating strong passwords.\r\nEnable a personal firewall on organization workstations and configure it to deny unsolicited connection\r\nrequests.\r\nResponse to Unauthorized Network Access\r\nContact DHS or your local FBI office immediately. To report an intrusion and request resources for incident\r\nresponse or technical assistance, contact CISA Central (SayCISA@cisa.dhs.gov or by phone at 1-844-Say-CISA), FBI through a local field office, or FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).\r\nReferences\r\n[1] Novetta’s Destructive Malware Report\r\nRevisions\r\nMay 29, 2018: Initial version|May 31, 2018: Uploaded updated STIX and CSV files\r\nhttps://www.us-cert.gov/ncas/alerts/TA18-149A\r\nPage 4 of 5\n\nSource: https://www.us-cert.gov/ncas/alerts/TA18-149A\r\nhttps://www.us-cert.gov/ncas/alerts/TA18-149A\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.us-cert.gov/ncas/alerts/TA18-149A" ], "report_names": [ "TA18-149A" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434855, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/68e9b768ef32e6bc4043bc92a19cf93fc8f7505b.pdf", "text": "https://archive.orkl.eu/68e9b768ef32e6bc4043bc92a19cf93fc8f7505b.txt", "img": "https://archive.orkl.eu/68e9b768ef32e6bc4043bc92a19cf93fc8f7505b.jpg" } }