Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

U.S. Government Shares Details of FALLCHILL Malware Used by North Korea

FALLCHILL Malware Used by North Korean Government Hackers is a Fully Functional RAT, DHS Says

FALLCHILL Malware Used by North Korean Government Hackers is a Fully Functional RAT, DHS Says

The United States Department of Homeland Security (DHS) shared details of a hacking tool they say is being used by a threat group linked to the North Korean government known as “Hidden Cobra.”

The threat actor dubbed by the U.S. government “Hidden Cobra” is better known in the cybersecurity community as Lazarus Group, which is believed to be behind several high-profile attacks, including the ones targeting Sony PicturesBangladesh’s central bank, and financial organizations in Poland. Links have also been found between the threat actor and the recent WannaCry ransomware attacks, but some experts are skeptical.


A joint alert issued by the DHS and FBI said a remote administration tool (RAT) known as FALLCHILL was used by the North Korean government to hack into companies in the aerospace, telecommunications, and finance sectors. The alert describes FALLCHILL as a “fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies.”

The U.S. Government has been able identify 83 network nodes in the infrastructure used by the FALLCHILL malware. The alert says that, according to a trusted third party, FALLCHILL uses fake SSL headers for communications. “After collecting basic system information, the backdoor will begin communication with the C&C server using a custom encrypted protocol with the header that resembles TLS/SSL packets,” it reads.”

In a separate alert issued Tuesday, the DHS and FBI shared a list of Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a variant of the Volgmer Trojan used by the North Korean government. The alert describes Volgmer as a backdoor Trojan “designed to provide covert access to a compromised system.” The DHS says at least 94 static IP addresses were identified to be connected to Volgmer’s infrastrucutre, along with dynamic IP addresses registered across various countries.

According to DHS, the North Korea-linked hackers have been using Volgmer malware in attacks against the government, financial, automotive, and media industries since at least 2013.

“DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity,” the alert states.

The DHS warned that spear phishing appears to be the primary delivery mechanism for Volgmer infections; but added that the Hidden Cobra threat actors also use a suite of custom tools, some of which could also be used to initially compromise a system. 

The alert with technical details and IOCs on FALLCHILL are available here. The alert and technical details for the the Volgmer Trojan are available here.

In June, US-CERT released a technical alert to warn organizations of distributed denial-of-service (DDoS) attacks conducted by Hidden Cobra.

Related: U.S. Warns of North Korea’s ‘Hidden Cobra’ Attacks

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.