Executive Summary

A newly identified and highly sophisticated cyber-espionage campaign has been attributed to the North Korean advanced persistent threat group Kimsuky. This operation leverages a novel backdoor, HTTPTroy, to target South Korean users through a meticulously crafted spear-phishing campaign. The attack chain employs advanced social engineering, multi-stage payload delivery, and state-of-the-art obfuscation and anti-analysis techniques. The primary objective is persistent, covert access to victim systems, enabling extensive data exfiltration and remote control. The emergence of HTTPTroy underscores the rapid evolution of North Korean cyber capabilities and the persistent threat posed to organizations in South Korea and potentially beyond. This advisory provides a comprehensive technical breakdown of the campaign, the tactics, techniques, and procedures (TTPs) employed, and actionable mitigation strategies.

Threat Actor Profile

Kimsuky (also known as Velvet Chollima, Black Banshee, Thallium, APT43, Emerald Sleet, TA427, Springtail, and Group G0094) is a North Korean state-sponsored threat actor with a long history of cyber-espionage operations. The group is known for targeting government, defense, think tanks, and critical infrastructure, primarily in South Korea but also in the United States, Europe, and other regions. Kimsuky is characterized by its use of spear-phishing, custom malware, and a focus on intelligence gathering. The group’s operations are closely aligned with the strategic interests of the Democratic People’s Republic of Korea (DPRK), and it is recognized for its rapid adoption of new tools and techniques, as evidenced by the deployment of HTTPTroy.

Technical Analysis of Malware/TTPs

The HTTPTroy campaign is a multi-stage attack that begins with a highly targeted spear-phishing email. The email contains a ZIP archive, 250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip, which masquerades as a legitimate VPN invoice. Inside the archive is a Windows screensaver executable (.scr) with the same name, designed to exploit user trust and familiarity with business processes.

Upon execution, the SCR file acts as a dropper, implemented in Golang, embedding three files: a decoy PDF (to distract the user), a loader component (MemLoad), and the final payload. The loader establishes persistence by creating a scheduled task named AhnlabUpdate, impersonating the well-known South Korean cybersecurity vendor AhnLab. This scheduled task ensures the malware survives reboots and maintains a foothold on the system.

The final payload, a DLL named HttpTroy, is loaded into memory and registered using regsvr32, minimizing on-disk artifacts and complicating forensic analysis. HTTPTroy provides a comprehensive suite of capabilities, including file upload and download, screenshot capture, arbitrary command execution with elevated privileges, in-memory loading of additional executables, reverse shell access, process termination, and trace removal. Communication with the command and control (C2) infrastructure is conducted via HTTP POST requests to load.auraria[.]org, with all traffic obfuscated to evade detection.

Obfuscation and anti-analysis are central to HTTPTroy’s design. API calls are concealed using custom hashing algorithms, and all strings are obfuscated using XOR and SIMD instructions, reconstructed only at runtime. No API hashes or strings are reused, significantly complicating static analysis and signature-based detection. The use of in-memory execution and minimal disk footprint further enhances the malware’s stealth.

Exploitation in the Wild

The campaign has, as of current reporting, resulted in at least one confirmed compromise of a South Korean organization, likely within the government, defense, or business sector. The attack was initiated via a spear-phishing email containing the aforementioned ZIP archive, leveraging a business-themed lure to increase the likelihood of user interaction. Upon execution of the malicious SCR file, the infection chain proceeded as designed, resulting in full system compromise. The use of a decoy PDF document helped to allay suspicion, while advanced evasion and persistence mechanisms ensured the attacker’s continued access. No evidence has been found of exploitation of software vulnerabilities; the attack relies entirely on social engineering and user execution.

Victimology and Targeting

The primary target of this campaign is South Korean organizations, with a focus on entities likely to handle sensitive information of interest to the DPRK, such as government agencies, defense contractors, and critical infrastructure providers. The spear-phishing lure, crafted as a VPN invoice, suggests a deliberate attempt to target users involved in IT, procurement, or administrative functions. While only a single victim has been confirmed, the sophistication of the campaign and the nature of the lure indicate the potential for broader targeting within South Korea and possibly other regions of strategic interest to North Korea.

Mitigation and Countermeasures

Organizations are strongly advised to implement a multi-layered defense strategy to mitigate the risk posed by HTTPTroy and similar threats. Network administrators should immediately block the C2 domain load.auraria[.]org and monitor for any connections to this or related domains, such as tronracing[.]com (associated with other DPRK malware families like BLINDINGCAN). Security teams should audit scheduled tasks across all endpoints for suspicious entries, particularly those named AhnlabUpdate, and investigate any execution of SCR files originating from email attachments or user directories.

User awareness training is critical; employees should be educated to recognize spear-phishing attempts, especially those involving business or VPN-related lures. Endpoint detection and response (EDR) solutions should be configured to alert on the execution of SCR files and the creation of new scheduled tasks. Memory analysis tools should be employed to detect in-memory-only payloads and unusual process injection activity. Regular reviews of email filtering policies and attachment handling procedures can further reduce the risk of successful phishing attacks.

It is important to note that no known CVEs were exploited in this campaign; the infection relies entirely on user interaction. Therefore, technical controls must be complemented by robust user education and incident response planning.

References

• The Hacker News: New HttpTroy Backdoor Poses as VPN Invoice in Targeted Cyberattack on South Korea

• Gen Digital Research Blog: DPRK's Playbook: Kimsuky's HttpTroy and Lazarus's New Tools

• MITRE ATT&CK: Kimsuky

• Cybersecurity-Help.cz: North Korea-linked Kimsuky uses new HttpTroy backdoor in attacks

• LinkedIn: Edward Kiledjian on HttpTroy

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and vendor ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring robust protection for critical assets and data. For more information about our solutions or to discuss your organization’s cybersecurity needs, we are happy to answer questions at ops@rescana.com.