f4ba9b398f65c78869ccd50da923a05a214a4dc1.pdf (126 KB)

DHS and FBI describe HARDRAIN as HIDDEN COBRA malware used by North Korean government actors with proxy servers to maintain access and support further exploitation. The MAR analyzes three files: two 32-bit Windows executables that act as proxy servers using fake TLS behavior and one Android ELF RAT. One Windows DLL opens the host firewall for incoming connections, disguises proxy traffic as TLS by embedding legitimate public SSL certificate strings, and uses an unidentified cipher for operator communications.