CISA, FBI, and DoD identify SLICKSHOES as a North Korean government-linked HIDDEN COBRA Trojan built as a Themida-packed dropper and beaconing implant. The dropper decodes and writes taskenc.exe under C:\Windows\Web but does not execute it or create persistence through autoruns or scheduled tasks. The dropped implant has RAT functionality for system surveys, file upload and download, process and command execution, and screen captures. It beacons every 60 seconds to hardcoded IP address 188.165.37.168 over TCP port 80, sending the string ApolloZeus and victim details such as OS version, username, and IP address. Network traffic is encoded with a custom algorithm, and the first ApolloZeus beacon may appear in plaintext because of in-place decoding behavior.