CISA, FBI, and DoD analyzed HOPLIGHT, a North Korean government-linked malware set associated with HIDDEN COBRA. The report covers twenty malicious executables, including proxy applications that mask traffic between infected hosts and remote operators. Several proxies generate fake TLS handshake sessions using valid public SSL certificates to disguise malicious network connections. Other components collect victim system information, enumerate drives and partitions, and drop files containing IP addresses and certificates for follow-on activity.