DHS and FBI reported FALLCHILL as a remote administration tool used by HIDDEN COBRA, the U.S. Government name for North Korean government malicious cyber activity. The alert says FALLCHILL had likely been used since 2016 against aerospace, telecommunications, and finance organizations, typically arriving through other HIDDEN COBRA malware or compromised websites and persisting via an external tool or dropper. FALLCHILL communicates through multiple proxies, uses fake TLS traffic with RC4-encrypted data, and beacons system details such as operating system version, IP address, host name, and MAC address. Its built-in capabilities include disk enumeration, process creation and termination, file search/read/write/move/execute operations, timestamp modification, directory changes, and deletion of malware artifacts. The alert provides network signatures, YARA-style host rules, and IOC guidance so defenders can prioritize detection and response where FALLCHILL-linked infrastructure appears in telemetry.