A North Korea-linked threat actor known as Kimsuky has deployed a previously undocumented backdoor, dubbed ‘HttpTroy,’ in a likely spear-phishing campaign aimed at a single victim in South Korea.
According to cybersecurity and identity protection company Gen Digital, the malicious campaign used a ZIP attachment, which masqueraded as a VPN invoice. Opening a SCR file inside the archive triggered a three-stage infection chain: a small dropper, a loader called MemLoad, and the final DLL backdoor HttpTroy. The dropper is a Go binary that contains three embedded files, including a decoy PDF presented to the victim while the loader runs covertly.
Once executed, MemLoad establishes persistence by creating a scheduled task named AhnlabUpdate in an attempt to impersonate South Korean cybersecurity firm AhnLab. It then decrypts and launches the HttpTroy DLL. The implant gives operators broad control of the system, including file upload/download, screenshot capture, elevated command execution, in-memory loading of executables, reverse shell, process termination and trace removal. The backdoor communicates with a command-and-control server via HTTP POST requests.
HttpTroy employs multiple layers of obfuscation, with API calls being concealed using custom hashing techniques, and strings obfuscated through a combination of XOR operations and SIMD instructions. The backdoor doesn’t reuse API hashes and strings, instead, it dynamically reconstructs them during runtime using varied combinations of arithmetic and logical operations, further complicating static analysis.
Gen Digital did not disclose when the incident occurred and said the intruders likely gained initial access through phishing, since the researchers found no evidence of an exploited software vulnerability.