CISA, FBI, and DoD analyzed BUFFETLINE, a Trojan malware variant attributed to North Korean government activity tracked as HIDDEN COBRA. The report describes a full-featured beaconing implant that uses PolarSSL for session authentication and a FakeTLS scheme with modified RC4-style encoding for network traffic. The malware can download, upload, delete, and execute files, enable Windows command-line access, create and terminate processes, and enumerate target systems. The advisory provides malware behavior and defensive context to help organizations prioritize detection and mitigation of North Korean government-linked tooling.