Igloo analyzes a collected HIDDEN COBRA java.exe malware sample that connects to hardcoded command-and-control servers and executes attacker commands when a connection succeeds. The sample is reported to be created by a 64-bit malicious DLL and stores required function names as encrypted strings that are decrypted at runtime. Static analysis shows host profiling for CPU, disk, and network adapter information, use of select() to support connections to multiple C2 servers, and command routines for registry modification, service removal, file search, file read/write, and process creation. The C2 servers were closed at analysis time, so the dynamic behavior could not be fully confirmed, but the code paths indicate remote command execution via cmd.exe and other host-management capabilities. The report provides a SHA-256 sample hash and links its findings to US-CERT reporting for HIDDEN COBRA defensive correlation.