McAfee attributed Operation GhostSecret with high confidence to Hidden Cobra and described a global data-reconnaissance campaign affecting sectors including critical infrastructure, entertainment, finance, health care, telecommunications, and higher education. The campaign used multiple implants, including a Destover-like variant, Bankshot-related functionality, and the previously undocumented Proxysvc component, with code and PE rich-header overlaps linking them to earlier Hidden Cobra tooling. The Destover-like implant used FakeTLS over port 443 with PolarSSL and control-server traffic similar to Backdoor.Escad, while Proxysvc acted as a covert SSL listener that could support additional implants or infrastructure. Infrastructure findings included active control servers, reused SSL certificates, and ties to servers associated with earlier Sony Pictures-related activity, making the campaign significant for tracking long-lived DPRK-linked tooling and infrastructure reuse.