CISA’s AR19-100A MAR analyzes `HOPLIGHT`, Trojan malware variants used by the North Korean government and tracked by the U.S. Government as `HIDDEN COBRA`. The April 2019 report covers nine malicious executables, including seven proxy applications that mask operator traffic by generating fake TLS handshake sessions with valid public SSL certificates, plus files containing encoded payload/certificate material or dropping IP-address and SSL-certificate data. The malware includes `Win32/NukeSped.AI` PE32 variants that collect OS, volume, drive, partition, and system-time information; can create, start, and stop services; and can open/bind sockets. The report highlights PolarSSL/server-name artifacts such as `fjiejffndxklfsdkfjsaadiepwn`, `www.naver.com`, and `www.google.com`, embedded Zlib compression, dropped files including `udbcgiut.dat`, `MSDFMAPI.INI`, `UDPTrcSvc.dll`, and outbound TLS attempts to `81.94.192.147` and `112.175.92.57` over TCP/443.