Executive Summary

A newly identified backdoor, HttpTroy, has been observed in a sophisticated, targeted cyberattack campaign against South Korean organizations. This campaign, attributed to the North Korean advanced persistent threat group Kimsuky, leverages a spear-phishing email masquerading as a legitimate VPN invoice to deliver a multi-stage malware payload. The infection chain culminates in the deployment of the HttpTroy backdoor, which provides attackers with comprehensive remote access and control over compromised systems. The campaign demonstrates advanced obfuscation, social engineering, and persistence techniques, underscoring the evolving threat landscape facing organizations in South Korea and beyond. This advisory provides a detailed technical analysis, threat actor profile, exploitation context, and actionable mitigation strategies to help organizations defend against this and similar threats.

Threat Actor Profile

The threat actor behind this campaign is Kimsuky, also known as APT43, Velvet Chollima, Black Banshee, Emerald Sleet, THALLIUM, TA427, Springtail, and Group G0094. Kimsuky is a North Korean state-sponsored group with a long history of conducting cyber-espionage operations targeting government, defense, research, and policy organizations, particularly those in South Korea, the United States, Japan, Russia, and Europe. The group is known for its use of spear-phishing, custom malware, and living-off-the-land techniques to achieve persistent access, data theft, and intelligence gathering. Kimsuky’s operations are characterized by their focus on geopolitical intelligence, nuclear policy, and sanctions-related information, often leveraging highly tailored social engineering lures and advanced malware frameworks.

Technical Analysis of Malware/TTPs

The attack begins with a spear-phishing email containing a ZIP archive named 250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip. This archive includes a Windows screensaver executable (.scr) with the same name, designed to appear as a legitimate VPN invoice. Upon execution, the SCR file acts as a dropper, implemented in Golang, and contains three embedded files: a decoy PDF document and two additional payloads.

The infection chain proceeds as follows: the dropper extracts and displays the decoy PDF to distract the victim, while simultaneously deploying a loader component known as MemLoad. MemLoad establishes persistence by creating a scheduled task named AhnlabUpdate, impersonating the well-known South Korean cybersecurity vendor AhnLab. This loader decrypts and executes the final payload, the HttpTroy backdoor, which is delivered as a DLL.

HttpTroy is a feature-rich backdoor that enables attackers to upload and download files, capture screenshots, execute arbitrary commands with elevated privileges, load additional executables directly into memory, establish a reverse shell, terminate processes, and remove traces of its activity. The backdoor communicates with its command-and-control (C2) infrastructure via HTTP POST requests to the domain load.auraria[.]org, using a user agent string that mimics legitimate browser traffic.

To evade detection, the malware employs multiple layers of obfuscation. API calls are concealed using custom hashing algorithms, and strings are obfuscated with XOR and SIMD instructions. At runtime, the malware dynamically reconstructs API hashes and strings, making static analysis and signature-based detection challenging. The use of in-memory execution and DLL registration via regsvr32 further reduces on-disk artifacts, complicating forensic investigations.

Exploitation in the Wild

The HttpTroy campaign has been observed targeting at least one South Korean organization, likely within the government or critical infrastructure sectors. The attack leverages a highly targeted spear-phishing email, written in Korean and impersonating a local company, to increase the likelihood of user interaction. The use of a fake VPN invoice as a lure is designed to exploit the prevalence of remote work and VPN usage in sensitive environments.

Upon successful execution, the malware establishes persistence through a scheduled task that mimics legitimate software update processes, reducing the chance of detection by users or automated defenses. The deployment of a decoy document and the use of advanced obfuscation techniques enable the malware to operate stealthily, maintaining access for extended periods. While the current campaign appears focused on South Korea, Kimsuky has a global footprint and has previously targeted organizations in the United States, Japan, Russia, Europe, and United Nations entities.

Victimology and Targeting

The primary target of this campaign is South Korean organizations, particularly those involved in government, critical infrastructure, defense, research, and policy-making. Kimsuky is known for its focus on entities with access to sensitive geopolitical, nuclear, and sanctions-related information. The use of Korean-language lures and impersonation of local companies indicates a high degree of reconnaissance and tailoring, hallmarks of advanced persistent threat operations.

While the current attack leverages a fake invoice for "SecuwaySSL VPN Manager U100S 100user," there is no evidence that any commercial VPN product is directly vulnerable. The infection relies on user interaction with a malicious attachment, rather than exploitation of a software vulnerability. Any Windows system where a user executes the malicious SCR file is at risk. Organizations with similar threat profiles, including those in the United States, Japan, Russia, and Europe, should remain vigilant, as Kimsuky has demonstrated the capability and intent to expand its targeting.

Mitigation and Countermeasures

To defend against the HttpTroy backdoor and similar threats, organizations should implement a multi-layered security strategy. Network administrators should block outbound connections to the C2 domain load.auraria[.]org and monitor for the creation of scheduled tasks named AhnlabUpdate. Security teams should configure endpoint detection and response (EDR) solutions to alert on the execution of .scr files from user directories and investigate any emails containing ZIP attachments with filenames matching the described pattern.

Proactive threat hunting should focus on identifying memory-resident DLLs with obfuscated strings and custom API hashing, as well as unexpected executions of regsvr32 registering unknown DLLs. User awareness training is critical, particularly for individuals in high-risk sectors, to recognize and report spear-phishing attempts. Organizations should also ensure that all systems are running up-to-date security software and that least-privilege principles are enforced to limit the impact of successful compromises.

Incident response teams should be prepared to conduct forensic analysis of potentially compromised systems, focusing on memory analysis and scheduled task enumeration. Regular reviews of email filtering policies and attachment handling procedures can further reduce the risk of initial compromise.

References

The Hacker News: New HttpTroy Backdoor Poses as VPN Invoice in Targeted Cyberattack on South Korea,Vulners: New HttpTroy Backdoor Poses as VPN Invoice in Targeted Cyberattack on South Korea,MITRE ATT&CK: Kimsuky (G0094),Cybersecurity-Help.cz: North Korea-linked Kimsuky uses new HttpTroy backdoor in attacks,LinkedIn: Edward Kiledjian on HttpTroy,Botcrawl: New HttpTroy Backdoor Poses as VPN Invoice in Targeted Attack on South Korea

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and vendor ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and address emerging threats, ensuring robust protection for critical assets and business operations.

For questions or further information, we are happy to answer at ops@rescana.com.