CISA, FBI, and DoD analyzed CROWDEDFLOUNDER, a North Korean government-linked Trojan associated with HIDDEN COBRA activity. The malware is a Themida-packed 32-bit Windows executable designed to unpack and execute a remote-access Trojan. Its command-line handling can force the RAT to connect to a specified C2 server, and it uses the CURL library for data transfer. The report notes that C2 traffic is protected with a rotating XOR cipher and provides behavior details intended to support network defense and incident response.