DHS and FBI analyzed TYPEFRAME malware variants attributed by the U.S. Government to HIDDEN COBRA, the term used for malicious North Korean government cyber activity. The sample set included 32-bit and 64-bit Windows executables and a malicious Word document with VBA macros capable of downloading malware, installing proxy and RAT components, contacting C2 servers, and modifying firewall settings. One analyzed executable installs a RAT service by decrypting and dropping a malicious DLL as C:\Windows\system32\laxhost.dll, storing encrypted configuration data in the registry, and running through svchost.exe under the netsvcs service group. The report provides hashes, filenames such as laxhost.dll and dwnhost.dll, YARA rules, and implementation details so defenders can prioritize detection and mitigation of TYPEFRAME-related activity.