The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have published another report on the US-CERT website detailing a piece of malware allegedly used by the North Korean government.
A dozen reports have been published by the DHS and the FBI over the past year on the North Korea-linked threat group tracked by the U.S. government as Hidden Cobra. The list of tools detailed by the agencies includes Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.
The latest report describes a piece of malware dubbed “Typeframe” and it covers a total of 11 samples related to the threat, including executable files and malicious Word documents containing VBA macros.
“These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections,” the agencies said.
The alert contains indicators of compromise (IoCs) for each of the files, including a description of their functionality, hashes, IPs, antivirus detections, metadata, and YARA rules.
The goal of the report is to “enable network defense and reduce exposure to North Korean government malicious cyber activity.” However, security experts argued in the past that these types of alerts from government agencies are actually not enough to help improve defenses.
The previous Hidden Cobra report, published on the US-CERT website in late May, attributed the Joanap backdoor trojan and the Brambul worm to the North Korean government.
While it has always denied accusations, experts say North Korea continues to be highly active in cyberspace, with some claiming that the country is even more aggressive than China. Recent attacks attributed to North Korea involved new malware and even zero-day vulnerabilities.
Related: North Korean Hacking Group APT37 Expands Targets
Related: Trend Micro Scan Engine Used by North Korea’s SiliVaccine Antivirus

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
- Cybercriminals, APT Exploited Telerik Vulnerability in Attacks on US Government Agency
Latest News
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Ferrari Says Ransomware Attack Exposed Customer Data
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
