The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have published another report on the US-CERT website detailing a piece of malware allegedly used by the North Korean government.
A dozen reports have been published by the DHS and the FBI over the past year on the North Korea-linked threat group tracked by the U.S. government as Hidden Cobra. The list of tools detailed by the agencies includes Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.
The latest report describes a piece of malware dubbed “Typeframe” and it covers a total of 11 samples related to the threat, including executable files and malicious Word documents containing VBA macros.
“These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections,” the agencies said.
The alert contains indicators of compromise (IoCs) for each of the files, including a description of their functionality, hashes, IPs, antivirus detections, metadata, and YARA rules.
The goal of the report is to “enable network defense and reduce exposure to North Korean government malicious cyber activity.” However, security experts argued in the past that these types of alerts from government agencies are actually not enough to help improve defenses.
The previous Hidden Cobra report, published on the US-CERT website in late May, attributed the Joanap backdoor trojan and the Brambul worm to the North Korean government.
While it has always denied accusations, experts say North Korea continues to be highly active in cyberspace, with some claiming that the country is even more aggressive than China. Recent attacks attributed to North Korea involved new malware and even zero-day vulnerabilities.
Related: North Korean Hacking Group APT37 Expands Targets
Related: Trend Micro Scan Engine Used by North Korea’s SiliVaccine Antivirus

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
