{ "id": "4f94d76f-5425-4860-abb5-cc368a547678", "created_at": "2026-04-06T00:15:55.637309Z", "updated_at": "2026-04-10T03:38:19.852755Z", "deleted_at": null, "sha1_hash": "bc89ddb3524d932c471b0bffcd988cec6ae00604", "title": "HIDDEN COBRA – North Korean Trojan: Volgmer | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 74942, "plain_text": "HIDDEN COBRA – North Korean Trojan: Volgmer | CISA\r\nPublished: 2017-11-22 · Archived: 2026-04-05 13:39:18 UTC\r\nSystems Affected\r\nNetwork systems\r\nOverview\r\nThis joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS)\r\nand the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified\r\nInternet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant\r\nused by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber\r\nactivity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity,\r\nvisit https://www.us-cert.gov/hiddencobra.\r\nFBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to\r\nmaintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP\r\naddresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.\r\nThis alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with Volgmer malware,\r\nmalware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs\r\nprovided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect\r\nactivity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National\r\nCybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the\r\nhighest priority for enhanced mitigation.\r\nFor a downloadable copy of IOCs, see:\r\nIOCs (.csv)\r\nIOCs (.stix)\r\nNCCIC conducted analysis on five files associated with or identified as Volgmer malware and produced a Malware\r\nAnalysis Report (MAR). MAR-10135536-D examines the tactics, techniques, and procedures observed. For a\r\ndownloadable copy of the MAR, see:\r\nMAR (.pdf)\r\nMAR IOCs (.stix)\r\nVolgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013,\r\nHIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial,\r\nautomotive, and media industries.\r\nIt is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN\r\nCOBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system.\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-318B\r\nPage 1 of 4\n\nTherefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure\r\ncompromised with Volgmer\r\nThe U.S. Government has analyzed Volgmer’s infrastructure and have identified it on systems using both dynamic and\r\nstatic IP addresses. At least 94 static IP addresses were identified, as well as dynamic IP addresses registered across\r\nvarious countries. The greatest concentrations of dynamic IPs addresses are identified below by approximate\r\npercentage:\r\nIndia (772 IPs) 25.4 percent\r\nIran (373 IPs) 12.3 percent\r\nPakistan (343 IPs) 11.3 percent\r\nSaudi Arabia (182 IPs) 6 percent\r\nTaiwan (169 IPs) 5.6 percent\r\nThailand (140 IPs) 4.6 percent\r\nSri Lanka (121 IPs) 4 percent\r\nChina (82 IPs, including Hong Kong (12)) 2.7 percent\r\nVietnam (80 IPs) 2.6 percent\r\nIndonesia (68 IPs) 2.2 percent\r\nRussia (68 IPs) 2.2 percent\r\nTechnical Details\r\nAs a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service\r\nregistry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In\r\none of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality.\r\nVolgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The\r\nmalware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port\r\n8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.\r\nMalicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service. Volgmer\r\nqueries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the\r\nServiceDLL entry in the selected service's registry entry. In some cases, HIDDEN COBRA actors give the created\r\nservice a pseudo-random name that may be composed of various hardcoded words.\r\nDetection and Response\r\nThis alert’s IOC files provide HIDDEN COBRA indicators related to Volgmer. DHS and FBI recommend that network\r\nadministrators review the information provided, identify whether any of the provided IP addresses fall within their\r\norganizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.\r\nWhen reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses\r\nattempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find\r\nsome traffic relates to malicious activity and some traffic relates to legitimate activity.\r\nNetwork Signatures and Host-Based Rules\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-318B\r\nPage 2 of 4\n\nThis section contains network signatures and host-based rules that can be used to detect malicious activity associated\r\nwith HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false\r\npositives always remains. These signatures and rules should be used to supplement analysis and should not be used as a\r\nsole source of attributing this activity to HIDDEN COBRA actors.\r\nNetwork Signatures\r\nalert tcp any any -\u003e any any (msg:\"Malformed_UA\"; content:\"User-Agent: Mozillar/\"; depth:500;\r\nsid:99999999;)\r\n___________________________________________________________________________________________________\r\nYARA Rules\r\nrule volgmer\r\n{\r\nmeta:\r\n description = \"Malformed User Agent\"\r\nstrings:\r\n $s = \"Mozillar/\"\r\ncondition:\r\n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $s\r\n}\r\nImpact\r\nA successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive\r\ninformation is exposed. Possible impacts include\r\ntemporary or permanent loss of sensitive or proprietary information,\r\ndisruption to regular operations,\r\nfinancial losses incurred to restore systems and files, and\r\npotential harm to an organization’s reputation.\r\nSolution\r\nMitigation Strategies\r\nDHS recommends that users and administrators use the following best practices as preventive measures to protect their\r\ncomputer networks:\r\nUse application whitelisting to help prevent malicious software and unapproved programs from running.\r\nApplication whitelisting is one of the best security strategies as it allows only specified programs to run, while\r\nblocking all others, including malicious software.\r\nKeep operating systems and software up-to-date with the latest patches. Vulnerable applications and operating\r\nsystems are the target of most attacks. Patching with the latest updates greatly reduces the number of exploitable\r\nentry points available to an attacker.\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-318B\r\nPage 3 of 4\n\nMaintain up-to-date antivirus software, and scan all software downloaded from the Internet before executing.\r\nRestrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle\r\nof “least privilege” to all systems and services. Restricting these privileges may prevent malware from running\r\nor limit its capability to spread through the network.\r\nAvoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded\r\ncode will execute the malware on the machine. For enterprises or organizations, it may be best to block email\r\nmessages with attachments from suspicious sources. For information on safely handling email attachments, see\r\nRecognizing and Avoiding Email Scams. Follow safe practices when browsing the web. See Good Security\r\nHabits and Safeguarding Your Data for additional details.\r\nDo not follow unsolicited web links in emails. See Avoiding Social Engineering and Phishing Attacks for more\r\ninformation.\r\nResponse to Unauthorized Network Access\r\nContact DHS or your local FBI office immediately. To report an intrusion and request resources for incident\r\nresponse or technical assistance, contact CISA Central (SayCISA@cisa.dhs.gov or by phone at 1-844-Say-CISA), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).\r\nRevisions\r\nNovember 14, 2017: Initial version\r\nSource: https://www.us-cert.gov/ncas/alerts/TA17-318B\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-318B\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia", "MITRE" ], "references": [ "https://www.us-cert.gov/ncas/alerts/TA17-318B" ], "report_names": [ "TA17-318B" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434555, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bc89ddb3524d932c471b0bffcd988cec6ae00604.pdf", "text": "https://archive.orkl.eu/bc89ddb3524d932c471b0bffcd988cec6ae00604.txt", "img": "https://archive.orkl.eu/bc89ddb3524d932c471b0bffcd988cec6ae00604.jpg" } }