This article is more than 1 year old

US-CERT warns of more North Korean malware

'Typeframe' springs from the same den as 'Hidden Cobra'

The United States Department of Homeland Security's Computer Emergency Response Team (US-CERT) has warned against another malware campaign it says originates from North Korea.

In its advisory, US-CERT said the “Typeframe” malware “includes malware descriptions related to HIDDEN COBRA”, the tag applied to a North Korean hacking team which in June 2017 was pinged as attacking “media, aerospace, financial, and critical infrastructure”.

The advisory doesn't say how many machines may have been infected by Typeframe, nor where infections occurred.

Kim Jong Un

Crouching cyber, Hidden Cobra: Crack North Korean hack team ready to strike, says US-CERT


Hidden Cobra has been busy recently: at the end of May, it was the subject of another US-CERT technical alert regarding the Joanap and Brambul malware strains, and last week we reported that the hacking group's tools were spotted in an attack on Banco de Chile.

The latest advisory includes 11 samples in the Typeframe campaign. Most are simple Windows 32-bit and 64-bit remote access trojans with RC4-encrypted configuration files, but some add more sophisticated backdoors. Most were compiled in 2016 and 2017, but one venerable example in the list was put together in 2015.

Command and control IP addresses in the campaign include,,,,,, and The servers are scattered across the USA, Morocco, China, Dubai, Albania, Mexico and India. ®

More about


Send us news

Other stories you might like