The Hangro VPN investigation examined four service IPs that share a certificate for CN=hangro.net.kp on port 7443 and appear to require certificate-based authentication. Reverse engineering an older Hangro client found local certificate retrieval from 127.0.0.1:6279, an embedded encrypted private key decrypted with the password 1234, and local certificate validation before a TLS connection is attempted. Testing showed the service expects a client certificate signed by the internal-looking hrra2024 authority, while the observed server certificate was flagged for client authentication rather than server authentication. The client also contains GOST cipher references and imports suggesting external authentication or USB token support. Recent sightings of the Hangro icon on a North Korean site and SoftEther-like drivers and traffic support the assessment that Hangro may be used by North Koreans overseas to connect back into DPRK infrastructure.