Kimsuky Deploys HttpTroy Backdoor in Targeted South Korean Attack
The North Korean threat actor Kimsuky has been identified distributing a new backdoor, codenamed HttpTroy, in a targeted spear-phishing campaign against a South Korean victim. The attack leveraged a phishing email containing a ZIP file disguised as a VPN invoice, which, when opened, initiated a multi-stage infection chain involving a dropper, a loader (MemLoad), and the final HttpTroy backdoor. The malware is capable of file transfer, screenshot capture, command execution with elevated privileges, in-memory loading of executables, reverse shell access, process termination, and trace removal. Persistence is established via a scheduled task impersonating the South Korean cybersecurity company AhnLab, and communication with the command-and-control server is conducted over HTTP POST requests.
HttpTroy employs advanced obfuscation techniques, including custom API hashing and string obfuscation using XOR and SIMD instructions, to evade detection and analysis. The campaign highlights the continued evolution of North Korean APT toolsets, with Kimsuky adopting stealthier malware to enhance their cyber-espionage capabilities. Security researchers have emphasized the sophistication of the infection chain and the backdoor's ability to provide attackers with full control over compromised systems.
Timeline
Nov 3, 2025
Lazarus deploys a new BLINDINGCAN RAT variant
North Korea-linked Lazarus was reported to be using a new variant of the BLINDINGCAN remote access trojan, indicating an upgrade in the group's malware toolkit. The available references present this as a separate development from the Kimsuky HttpTroy activity.
Nov 3, 2025
Kimsuky launches targeted campaign using HttpTroy against South Korea users
North Korea-linked Kimsuky began a targeted cyberattack campaign against South Korea users using a new HttpTroy backdoor, including lures disguised as a VPN-related invoice. The reporting describes HttpTroy as a stealthy new addition to the group's malware arsenal.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Kimsuky Uses Malicious LNK Files to Deliver Python Backdoor
North Korea-linked threat group **Kimsuky** has been reported using malicious Windows shortcut (`.LNK`) files to initiate a **multi-stage infection chain** that ends with deployment of a **Python-based backdoor**. Reporting shared from both AhnLab and Excalibra indicates the campaign relies on weaponized LNK files as the initial access vector, with the malware delivery process evolving from earlier distribution patterns. The activity was attributed to Kimsuky in threat-intelligence reporting and social media amplification, with references also linking the cluster to **DPRK** operations and possible overlap or comparison with **Konni** tracking. While the cited summaries did not include victimology or technical indicators, they consistently described a shift in how the group distributes malware and highlighted the use of LNK-based social engineering to stage follow-on payloads.
1 weeks ago
North Korean Phishing Campaign Uses GitHub as Covert C2 Against South Korean Firms
FortiGuard Labs reported a high-severity cyber espionage campaign linked to North Korean state-sponsored actors that targets organizations in South Korea with phishing emails carrying malicious Windows `.lnk` files disguised as PDF documents. When opened, the shortcut launches PowerShell and other native Windows scripting tools while showing a decoy document, then performs anti-analysis checks for tools including Wireshark, Fiddler, x64dbg, Procmon, and `vmtoolsd`. Researchers said the operation has been active since at least 2024 and has evolved from earlier, less-obfuscated variants associated with XenoRAT into more sophisticated samples that embed decoding logic and payload data directly in the shortcut file. The malware establishes persistence through a Scheduled Task disguised as a technical paper and set to run every 30 minutes, then collects host data such as OS version, build number, process lists, and keep-alive logs. Operators used trusted GitHub accounts and private repositories as covert command-and-control and data-staging infrastructure, allowing malicious HTTPS traffic to blend with normal web activity while exfiltrating system information and retrieving follow-on instructions. Decoy filenames and metadata, including the "Hangul Document" naming convention, indicate deliberate targeting of South Korean companies and tradecraft aligned with clusters such as **Kimsuky**, **APT37**, and **Lazarus**.
2 weeks ago
Kimsuky LNK Malware Using Dropbox API for Host Profiling and Payload Delivery
**Kimsuky**-linked malware delivered through malicious **LNK** files was observed targeting likely South Korean users, using shortcut execution to unpack a PowerShell-based implant, establish persistence via **Task Scheduler**, collect host information, and communicate through the **Dropbox API**. IIJ reported that the LNK extracts files into `C:\PerfLog`, deploys `www.ps1` and a VBScript launcher, creates a scheduled task named `P`, and drops a decoy document in a Hancom Office format. The malware generates a client ID from the victim MAC address, gathers system details including domain, username, OS version, process lists, and external IP address, then uploads the data to attacker-controlled Dropbox folders before attempting to download and run a follow-on batch payload. AhnLab's February 2026 APT trend reporting for South Korea provides broader context showing that **spear phishing** remained the dominant delivery method and that **LNK-based attacks** were the most prevalent format observed, including campaigns that used PowerShell to fetch additional components and register persistence. While AhnLab's report is a monthly trend overview rather than a dedicated write-up on the Dropbox variant, it aligns with IIJ's assessment that the malware shares substantial **TTP** overlap with previously reported **Kimsuky** activity. The reporting indicates continued abuse of legitimate cloud services such as **Dropbox** and, more broadly, GitHub and similar platforms to blend command-and-control and payload staging into normal network traffic.
5 days ago