DHS and FBI attribute ELECTRICFISH to North Korean government malicious cyber activity tracked as HIDDEN COBRA and analyze it as a 32-bit Windows tunneling utility. The malware accepts command-line parameters for source and destination IP/port pairs plus optional proxy server, port, username, and password, then continuously tries to establish TCP sessions to both sides. Once connected, it uses a custom protocol with a mostly static authentication packet to tunnel traffic rapidly between the two machines. The proxy-authentication support is operationally important because it can let the actor reach outside a compromised network even when outbound access normally requires proxy credentials.