What We Do
How We Do
Get Started
Security advisories

CISA Reports on North Korean Malware

May 12, 2020 | 1 MIN READ

Speak With A Security Expert Now



The Cybersecurity and Infrastructure Security Agency (CISA) has released three new reports on malware associated with North Korean state sponsored threat actors. The reports outline three different malware types: PebbleDash Trojan [1], TaintedScribe Trojan [2] and CopperHedge RAT [3]. These tools are reported to be used by the North Korean threat actor Hidden Cobra (Lazarus Group). While the reports lack specific details on where the malware types were used, Hidden Cobra has a long history of targeting both governments and private organizations that interest the North Korean government.

What we’re doing about it

What you should do about it

Additional information

The two Trojans, PebbleDash and TaintedScribe are beaconing implants that can be used to exfiltrate information, download additional malicious content and execute commands on infected devices. CopperHedge is a variant of the Manuscrypt RAT and is a remote access tool that can be used to run arbitrary commands, perform system reconnaissance, and exfiltrate data. The CISA reports were released on May 12th, 2020, but the malware was likely in use for years prior to this report. Hashes for the malware were reported to VirusTotal as far back as 2018. Information on past Hidden Cobra related activity and tools can be found on the CISA web-page North Korean Malicious Cyber Activity [4].


[1] https://www.us-cert.gov/ncas/analysis-reports/ar20-133c

[2] https://www.us-cert.gov/ncas/analysis-reports/ar20-133b

[3] https://www.us-cert.gov/ncas/analysis-reports/ar20-133a

[4] https://www.us-cert.gov/northkorea

View Most Recent Advisories