CISA’s MAR-10135536-8 analyzes `HOPLIGHT`, a set of Trojan malware variants used by the North Korean government and tracked by the U.S. Government as `HIDDEN COBRA`. The report covers twenty malicious executables, including sixteen proxy applications that mask operator traffic by generating fake TLS handshake sessions with public SSL certificates, plus components that contain encoded payload/certificate material or drop files holding IP addresses and SSL certificates. One analyzed 32-bit Windows executable, detected as a `Win32/NukeSped.AI` variant, collects OS, volume, drive, partition, and system-time information; can manage services, files, processes, directories, registry keys, callback configuration, working directory changes, command execution, logging, keep-alives, and implant uninstallation. The malware uses SSL certificate material including a `www.naver.com` certificate, default PolarSSL certificates/private keys, hardcoded C2 IP options, and embedded Zlib compression to support or obfuscate communications.