Security teams have identified Trojan malware variants used by the North Korean government. This malware variant has been identified as HOPLIGHT. Sixteen of the detected files are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key.
Below are the capabilities of this HOPLIGHT trojan: