CISA, FBI, and DoD identify BISTROMATH as a North Korean government-linked HIDDEN COBRA Trojan family with multiple RAT implant versions and CAgent11 GUI controller and builder components. The implants can survey systems, upload and download files, execute processes and commands, and monitor the microphone, clipboard, and screen. The controller components support operator interaction with infected hosts and can build customized implants. The samples use trojanized executables containing fake bitmap resources that decode into configuration data and shellcode, which then loads the embedded implant. Network communications use simple XOR encoding, and the shellcode options include checks for VMware, VirtualBox, QEMU, BOCHS, Wine, sandbox, and debugging artifacts.