HttpTroy
Categories

New HttpTroy Backdoor Poses as VPN Invoice in Targeted Attack on South Korea

Security researchers have documented a targeted, multi-stage intrusion that delivered a previously unseen backdoor named HttpTroy. The campaign, attributed to the North Korea aligned group known as Kimsuky, used a convincing VPN invoice lure to trick a single high value target in South Korea into running a malicious SCR file inside a ZIP archive. The attack chain drops a small Go-based stub, a loader called MemLoad, and the final HttpTroy DLL backdoor, giving operators full remote control over the compromised host.

Table of Contents

What happened

Gen Digital and other threat analysts uncovered a targeted intrusion that began with a phishing email carrying a ZIP file named to resemble a VPN invoice. The archive contained a Windows SCR file. When the victim opened the SCR, it launched a small Go binary that dropped a decoy PDF for distraction while extracting two additional components: MemLoad and an encrypted DLL that becomes HttpTroy.

MemLoad sets up persistence by registering a scheduled task named “AhnlabUpdate”, an attempt to impersonate the local South Korean security vendor and avoid suspicion. MemLoad then decrypts the DLL payload and loads it into memory. The final backdoor communicates with its command-and-control server over HTTP and gives attackers a wide range of control and data exfiltration options.

Attack chain breakdown

  • Initial lure: ZIP archive labeled as a VPN invoice. The archive includes a decoy PDF and an SCR file. The filename and decoy are localized to increase credibility.
  • Dropper: A small Go binary embedded in the SCR. It writes the decoy PDF to disk, displays it to the user, and drops the next-stage components to avoid suspicion.
  • Loader (MemLoad): A DLL responsible for persistence. It recreates a scheduled task called “AhnlabUpdate” and decrypts the final backdoor using RC4. The scheduled task is configured to run silently, often via regsvr32 to execute the DLL.
  • Final payload (HttpTroy): A highly obfuscated DLL backdoor that supports file upload and download, screenshots, command execution, reverse shell, in-memory execution, and trace removal. It communicates with the C2 over HTTP POST requests to load.auraria[.]org.

HttpTroy backdoor capabilities

HttpTroy is a full featured backdoor designed for stealth and long term access. Observed capabilities include:

  • File upload and download for data theft and tool delivery.
  • Screenshot capture for reconnaissance and credential harvesting.
  • Command execution with elevated privileges and reverse shell support.
  • In-memory loading of additional executables to avoid writing disk artifacts.
  • Process termination and trace removal to hinder incident response.
  • Obfuscated HTTP POST communication with a chatroom style C2 protocol.
  • Simple XOR plus Base64 obfuscation applied to C2 payloads and responses.

Technical evasion and obfuscation

HttpTroy uses layered obfuscation to slow analysis and evade detections. Techniques observed include:

  • Custom API hash schemes instead of static imports. The backdoor reconstructs API names at runtime using arithmetic and logical operations.
  • String obfuscation with XOR and SIMD style operations to prevent simple string scanning.
  • Use of in-memory execution and DLL registration via regsvr32 to minimize on-disk indicators.
  • Scheduled task persistence under a vendor sounding name to blend with legitimate processes.

These methods complicate static analysis and mean defenders must rely on behavioral and network telemetry to detect activity.

Why this ties to Kimsuky and related campaigns

Several factors make the Kimsuky attribution plausible. The lure and filenames are Korean language centric and reference local vendors and products. The scheduled task name is intentionally AhnLab-like. The delivery style and use of decoy documents closely mirror previously observed Kimsuky tactics, including ClickFix social engineering variants where decoy web pages or documents distract the user while scripts or binaries execute in the background.

Multiple South Korean vendors have traced similar tactics back to Kimsuky, including spear phishing that impersonates media or academic contacts, and the use of Compressor archives with scripted dropper logic. The HttpTroy chain fits that pattern: localized social engineering, staged payloads, and stealthy persistence and C2 mechanisms.

Lazarus activity and BLINDINGCAN update

Alongside the Kimsuky discovery, researchers also observed a Lazarus Group campaign using a multi-stage Comebacker dropper that ultimately loads a new BLINDINGCAN variant. The Lazarus chain differs in specifics but shares high level patterns: staged decryption of embedded payloads, dynamic API resolution, in-memory execution, and robust command sets for exfiltration and remote control.

Observed BLINDINGCAN capabilities include file system enumeration, screenshot capture, in-memory execution, process and service manipulation, and encrypted C2 communication. The Comebacker dropper uses HC256 and RC4 for configuration and payload obfuscation, and it can deploy the final payload as a service for persistence.

Indicators of compromise

Use these artifacts for detection, blocking, and hunting. Treat them as part of broader indicators and look for patterns in behavior and scheduling that match the chain.

SCR dropper SHA-256: e19ce3bd1cbd980082d3c55a4ac1eb3af4d9e7adf108afb1861372f9c7fe0b76

MemLoad SHA-256: 20e0db1d2ad90bc46c7074c2cc116c2c08a8183f3ac6f357e7ebee0c7cc02596

HttpTroy SHA-256: 10c3b3ab2e9cb618fc938028c9295ad5bdb1d836b8f07d65c0d3036dbc18bbb4

HttpTroy C2: load[.]auraria[.]org
HttpTroy user agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36

Comebacker / Compcat / BLINDINGCAN examples:
 new Comebacker variant SHA-256: 509fb00b9d6eaa74f54a3d1f092a161a095e5132d80cc9cc95c184d4e258525b
 new BLINDINGCAN SHA-256: c60587964a93b650f3442589b05e9010a262b927d9b60065afd8091ada7799fe
 BLINDINGCAN C2 examples: trnracing[.]com, 166[.]88[.]11[.]10, 23[.]27[.]140[.]49
 Scheduled task name used for persistence: AhnlabUpdate
 Mutex examples: a:fnjiuygredfgbbgfcvhutrv , u:fnjiuygredfgbbgfcvhutrv

Detection and mitigation

Defenders should treat this activity as a high risk targeted intrusion. Recommended actions include:

  • Block and monitor traffic to and from the listed C2 domains and IPs at the network perimeter and in DNS logs.
  • Hunt for new or unusual scheduled tasks, especially those named to resemble local security vendors or update services.
  • Detect and quarantine unexpected regsvr32 executions that register unknown DLLs.
  • Monitor for in-memory loader behavior, unusual WebView activity that displays decoy documents, and rapid creation of files that match decoy PDF names.
  • Inspect endpoint telemetry for sudden process injection, reverse shell processes, or screenshot activity. Use behavior based detections in addition to signature based detections.
  • Educate staff to treat compressed attachments from external senders as high risk. If an attachment is unexpected, verify with the sender before opening.
  • Apply least privilege. Avoid running daily user sessions with administrative rights to limit what a loader can do if executed.
  • Use modern endpoint protection and detection tools and keep definitions and engines current. Consider a dedicated anti malware scan if compromise is suspected. See our anti malware guidance for recommended tools and procedures.

For organizations in South Korea or anyone handling sensitive national security and research workflows, prioritize monitoring for ClickFix style social engineering and decoy documents. Track unusual GitHub or cloud traffic that could indicate staging or exfiltration. If you find evidence of infection, isolate the system, preserve forensic artifacts, and engage incident response resources to perform a full containment and cleanup.

HttpTroy and the related Comebacker to BLINDINGCAN flow show a continued refinement of techniques by DPRK aligned groups, emphasizing obfuscation, persistent loaders, and in-memory execution. Hunting for the chain at the scheduling, DLL registration, and network layers is the most effective way to detect these operations early.

Written by

Sean Doyle

Sean is a distinguished tech author and entrepreneur with over 20 years of extensive experience in cybersecurity, privacy, malware, Google Analytics, online marketing, and various other tech domains. His expertise and contributions to the industry have been recognized in numerous esteemed publications. Sean is widely acclaimed for his sharp intellect and innovative insights, solidifying his reputation as a leading figure in the tech community. His work not only advances the field but also helps businesses and individuals navigate the complexities of the digital world.

More Reading

Post navigation

Leave a Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.