Igloo analyzes HIDDEN COBRA malware built around a dropper that installs Joanap, a remote access backdoor, and Brambul, an SMB-based worm component. After checking for the SCardPrv service to determine whether a host is already infected, the dropper creates scardprv.dll, Wmmvsvc.dll, and mssscardprv.ax from embedded resources and registers the DLLs as services. scardprv.dll runs as a TCP/443 backdoor and can search for and delete specific directories, while Wmmvsvc.dll reads IP and port data from mssscardprv.ax to attempt SMB connections and propagate to remote systems. The worm attempts Administrator logins, configures ADMIN$ paths based on Windows version, copies Wmmvsvc.dll and mssscardprv.ax to remote hosts, and registers the copied DLL as a service for secondary infection. The malware also connects to Google mail servers and sends infected-system information to a hardcoded address, with hashes and US-CERT references supplied for validation.