Malware Analysis Report (AR19-100A)

Original release date: April 10, 2019

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have identified a Trojan malware variant—referred to as HOPLIGHT—used by the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA


This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see



Findings: A variant of Win32/NukeSped.AI trojan found by ESET Antivirus Software.

This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant has been identified as HOPLIGHT. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. This report provides analysis of nine malicious executable files. Seven of these files are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files. The dropped files primarily contain IP addresses and SSL certificates.For a complete list of IP addresses that are found to be from compromised systems and sending out this new threat.

Also look at these other pages for additional information


This is yet another reason why we at PCS World Networks is a Certified Partner of ESET Security Solutions.  We have been working with ESET  for  more than 10 years now and we have found no other Antivirus software to be of better quality with a very small footprint (small file size) compared to all other virus software on the market. 

Let us give you 6months of FREE Protection to see for yourself.  Contact Us Today!


PCS World Network – Managed Solutions

Security & Business Continuity

PCS World Network, Inc.
P.O. Box 152249
San Diego, CA 92195-2249

(619) 272.7593

This email address is being protected from spambots. You need JavaScript enabled to view it.