ELECTRICFISH is a piece of malware that exfiltrate data from victims. According to the MAR AR19-129A advisory released on US-CERT's website, the malware was detected while tracking the malicious activities of the North Korean-backed hacking group HIDDEN COBRA (also known by security experts as Lazarus, Guardians of Peace, ZINC, and NICKEL ACADEMY).

The MAR-10135536-21 malware analysis report was issued  "to enable network defense and reduce exposure to North Korean government malicious cyber activity."

The report published on the US-CERT website comes with a detailed analysis of one malicious 32-bit executable file found to be infected with Lazarus' ELECTRICFISH malware.


The malware "implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session."

Because the malware can be configured by the Lazarus group attackers "with a proxy server/port and proxy username and password," it makes it possible to connect "to a system sitting inside of a proxy server" and thus circumventing the infected system's authentication.

After bypassing the configured authentication measures on the  compromised machine, ELECTRICFISH will "establish a session with the destination IP address, located outside of the target network and the source IP address."

Once a connection is established between a source IP address and a destination IP address, the ELECTRICFISH malware can funnel Internet traffic between the two machines allowing the malicious actors to funnel the information collected from compromised computers to servers that they control.