Kimsuky Debuts HTTPTroy Backdoor Against South Korea Users

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificThe well-known North Korean threat group continues to improve the obfuscation and anti-analysis features of its attack toolchain.November 5, 2025In its attempts to stay ahead of defenders, North Korean threat group Kimsuky has deployed an updated tool against South Korean users, aiming to make its attack programs harder to detect and analyze, threat researchers say.The tool, dubbed HttpTroy, is a backdoor that aims to give its controllers full access to an infected system, including moving files, taking screenshots, and executing commands, researchers from cybersecurity firm Gen stated in an analysis published last week. The backdoor is the final step of an attack chain targeting South Korean users that includes a small dropper, a subsequent loader known as MemLoad, and the HttpTroy backdoor.The attack — which consisted of a zip archive containing a Microsoft Windows screensaver (.scr) file — executes when the user opens the file, displaying a PDF invoice written in Korean and loading the attack chain until the backdoor program is running, says Michal Salát, threat intelligence director at Gen, a cybersecurity software and services company.HttpTroy "supports a wide range of remote actions and increases stealth by encrypting its communications, obfuscating payloads, and executing code in memory," he says. "As a high-tier APT, they frequently rotate and rebuild payloads, so HttpTroy appears to be another effort by Kimsuky to evade detection."Related:Stealth Falcon APT Exploits Microsoft RCE Zero-Day in MideastNorth Korean state-sponsored groups have been using a variety of techniques to target governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States in Europe. A group thought to be Kimsuky targeted diplomatic missions in South Korea this summer using a password-protected zip file as the delivery vehicle for the attack. In September, the group used AI-generated deepfake photos to create military IDs as part of an attack on journalists, human-rights activists, and researchers.While effective, HttpTroy is a straightforward improvement of the tools already used by the Kimsuky threat group, says Peter Kálnai, a senior malware researcher with cybersecurity firm ESET. Kimsuky — and another infamous North Korean group, Lazarus — are focused on making their tools harder to detect and analyze, he says."With their existing anti-analysis features ... the analysis of their payloads is already difficult," Kálnai says, adding that Kimsuky has also made use of commercial encryption products as well. "This layered approach significantly increases the complexity and time required for reverse engineering the malware."Related:Ollama, Nvidia Flaws Put AI Infrastructure at RiskBoth the Kimsuky and Lazarus groups' attack chains heavily rely obfuscation and anti-analysis techniques to sneak by defenses and make reverse engineering more difficult, says Aaron Beardslee, manager of threat research at cybersecurity platform provider Securonix. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain to slow down researchers. Other techniques, such as memory-resident execution and dynamic API resolution, help the malicious code avoid detection, he says.Sometimes, they think outside the box, Beardslee says."Adversaries are always going to be searching for new ways to blend in and adapt to the defensive tooling employed by their targets," he says. "The most nefarious I've seen to date has been defense evasion in the actual hiring process of a company. Dozens of Fortune 100 organizations have unknowingly hired IT workers from North Korea."Companies should make sure that their anti-malware solutions have in-memory scanning to detect payloads that are directly loaded into memory and have no footprint on the disk. In addition, threat intelligence can help defenders keep up with attacker methods, especially for the most frequently targeted sectors, such as cryptocurrency, financial systems, aerospace, defense, South Korean government, and some healthcare-related entities, says ESET's Kálnai.Related:Critical Site Takeover Flaw Affects 400K WordPress SitesMost of the attacks are straightforward, but simple is not the same as static; the modularity of malware — such as the ThreatNeedle backdoor used by the Lazarus group — allow for additional attack techniques to be easily added, Kálnai said."Its capabilities are designed to be extensible through the dynamic loading of additional DLLs, which effectively function as a plug-in architecture," he says. "This design allows the threat actor to quickly augment functionality and tailor the final payload to the specific target environment without having to significantly update the core RAT binary."Defenders are not always destined to fall behind attackers. Even state-sponsored groups tire of the rat race, often choosing stability and simplicity over continuous feature development, says Kálnai, who noted that much of the core set of capabilities used both by Kimsuky and Lazarus changes slowly."We believe these minor changes underscore a key operational priority for the attackers," he says. "Stability and operational simplicity are more important than continuous feature development for their flagship tools," he says.Read more about:Robert Lemos, Contributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.