U.S. government agencies attributed the FASTCash ATM cash-out campaign to HIDDEN COBRA, describing North Korean government activity against banks in Africa and Asia since at least late 2016. The campaign compromised retail payment switch application servers so fraudulent but legitimate-looking ISO 8583 response messages could authorize ATM withdrawals across many countries. The alert says the actors likely used spear phishing, Windows malware, legitimate credentials, and laterally accessed bank networks before deploying AIX malware and command-line utilities to inject malicious code into running switch-server processes. Observed artifacts included ISO 8583 libraries, commands executed from temporary directories, and malware samples published in a related NCCIC analysis report, with defenders urged to prioritize these indicators and isolate payment infrastructure.