{
    "type": "bundle",
    "id": "bundle--fc1540de-5397-4073-a5ab-855f885f77f0",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--ee1af7fe-c2db-446e-ab28-bdb4b4e29c1c",
            "created": "2023-03-08T12:51:42.067091Z",
            "modified": "2023-03-10T04:35:51.526813Z",
            "name": "USCISA",
            "identity_class": "organization"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--9ff85222-5d39-41c2-8d0a-40df8b553a29",
            "created": "2026-06-24T18:11:52.654486Z",
            "modified": "2026-06-24T18:11:52.654486Z",
            "name": "YARA Rule",
            "pattern": "rule success_fail_codes_fallchill\r\n{\r\nmeta:\r\ndescription = \"success_fail_codes\"\r\nstrings:\r\n$s0 = { 68 7a 34 12 00 }\r\n$s1 = { ba 7a 34 12 00 }\r\n$f0 = { 68 5c 34 12 00 }\r\n$f1 = { ba 5c 34 12 00 }\r\ncondition:\r\n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))\r\n}",
            "pattern_type": "yara",
            "valid_from": "2017-11-14T00:00:00Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--c3fa7acc-455a-43e7-902e-17ee1c7d130c",
            "created": "2026-06-24T18:11:52.655298Z",
            "modified": "2026-06-24T18:11:52.655298Z",
            "name": "YARA Rule",
            "pattern": "rule rc4_stack_key_fallchill\r\n{\r\nmeta:\r\ndescription = \"rc4_stack_key\"\r\nstrings:\r\n$stack_key = { 0d 06 09 2a ?? ?? ?? ?? 86 48 86 f7 ?? ?? ?? ?? 0d 01 01 01 ?? ?? ?? ?? 05 00 03 82 41 8b c9 41 8b d1 49 8b 40 08 48 ff c2 88 4c 02 ff ff c1 81 f9 00 01 00 00 7c eb }\r\ncondition:\r\n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $stack_key\r\n}",
            "pattern_type": "yara",
            "valid_from": "2017-11-14T00:00:00Z"
        },
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--144818da-aadb-576a-82f4-f05e15a3bb28",
            "created": "2026-06-24T18:11:52.660409Z",
            "modified": "2026-06-24T18:11:52.660409Z",
            "name": "HiddenCobra"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--b378ee20-34f7-43d3-b895-38d09b39e3f5",
            "created_by_ref": "identity--ee1af7fe-c2db-446e-ab28-bdb4b4e29c1c",
            "created": "2026-06-24T18:11:52.661518Z",
            "modified": "2026-06-24T18:11:52.661518Z",
            "name": "HIDDEN COBRA \u2013 North Korean Remote Administration Tool: FALLCHILL",
            "published": "2017-11-14T00:00:00Z",
            "object_refs": [
                "identity--ee1af7fe-c2db-446e-ab28-bdb4b4e29c1c",
                "indicator--9ff85222-5d39-41c2-8d0a-40df8b553a29",
                "indicator--c3fa7acc-455a-43e7-902e-17ee1c7d130c",
                "threat-actor--144818da-aadb-576a-82f4-f05e15a3bb28"
            ],
            "external_references": [
                {
                    "source_name": "source",
                    "url": "https://www.us-cert.gov/ncas/alerts/TA17-318A"
                }
            ]
        }
    ]
}