A North Korea‑linked threat actor known as Kimsuky deployed a previously undocumented backdoor called HttpTroy in a likely spear‑phishing campaign that targeted a single victim in South Korea, Gen Digital reported. The vendor did not disclose when the incident occurred.
The attack used a ZIP attachment named “250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip” containing an SCR file that launched a three‑stage chain: a small dropper, a loader called MemLoad, and the HttpTroy backdoor, researcher Alexandru‑Cristian Bardaș said. The initial dropper was a Go binary that contained three embedded files, including a decoy PDF displayed to the victim to avoid suspicion.
MemLoad established persistence by creating a scheduled task named “AhnlabUpdate” to impersonate a South Korean security product, decrypted and executed a DLL backdoor, and launched the implant. HttpTroy communicates with a command‑and‑control server at load.auraria[.]org over HTTP POST and can upload and download files, capture screenshots, run commands with elevated privileges, load executables in memory, spawn a reverse shell, terminate processes and remove traces.
Bardaș said HttpTroy employs multiple layers of obfuscation to hinder analysis: API calls are concealed using custom hashing techniques, strings are obfuscated through XOR operations and SIMD instructions, and the malware dynamically reconstructs values at runtime using varied arithmetic and logical operations.
Gen Digital also described a separate Lazarus Group operation that deployed Comebacker and an updated BLINDINGCAN remote access trojan against two Canadian victims. Two Comebacker variants – a DLL launched via a Windows service and an EXE executed through cmd.exe – were used to decrypt and deploy BLINDINGCAN, which supports extensive file and system operations and can invoke CreateProcessW for command execution.
Gen Digital assessed initial access was likely achieved by phishing because no exploited vulnerability was identified, but it did not provide timing for the intrusion.