The DHS, FBI, and DoD malware analysis report attributes ELECTRICFISH proxy malware to North Korean HIDDEN COBRA activity. The analyzed 32-bit Windows executables implement a custom tunneling protocol that can connect a source and destination IP address and operate through configured proxy credentials. This behavior enables traffic relay from inside restricted environments and supports continued exploitation after initial access. The MAR supplies malware descriptions, mitigation guidance, and indicators for defenders hunting DPRK-linked proxy tooling.