DHS and FBI attributed Joanap RAT and Brambul SMB worm activity to HIDDEN COBRA, the U.S. Government term for North Korean government malicious cyber activity. The malware had reportedly been used since at least 2009 against victims globally and in the United States, including media, aerospace, financial, and critical infrastructure sectors. Joanap is described as a RAT that can receive remote commands, exfiltrate data, drop and run secondary payloads, initialize proxy communications, and maintain peer-to-peer botnet communications after being dropped by other HIDDEN COBRA malware. Brambul spreads through SMB shares by brute-forcing credentials over ports 139 and 445, uses embedded passwords, and emails victim hostnames, IP addresses, usernames, and passwords back to actor-controlled addresses. The alert provides IOC files and notes 87 compromised Joanap network nodes so defenders can identify infected infrastructure and prioritize mitigation.