Kimsuky Debuts HTTPTroy Backdoor Against South Korea Users
Summary
Kimsuky, a North Korean state-sponsored threat group, has rolled out an updated backdoor named HttpTroy that targets South Korean users. According to analysis by Gen, the final-stage backdoor is delivered via a multistage chain that begins with a ZIP archive containing a .scr screensaver file; when opened it displays a Korean-language PDF invoice and loads a small dropper, a loader called MemLoad, and then the HttpTroy backdoor.
HttpTroy provides remote access capabilities — file movement, screenshots, command execution — and emphasises stealth with encrypted communications, payload obfuscation and in-memory execution. Researchers note Kimsuky frequently rotates and rebuilds payloads, and leverages legitimate services and multiple encryption layers to slow defenders and analysts. Defenders are advised to use in-memory scanning and threat intelligence focused on heavily targeted sectors such as government, aerospace, finance and cryptocurrency.
Key Points
- HttpTroy is the latest backdoor used by Kimsuky, offering remote access and system control.
- Delivery used a ZIP containing a Windows .scr screensaver that displays a PDF invoice in Korean to lure victims.
- The attack chain includes a small dropper, MemLoad loader, then the HttpTroy backdoor as the final payload.
- HttpTroy uses encrypted communications, payload obfuscation, memory-resident execution and dynamic API resolution to evade detection and analysis.
- Kimsuky and related DPRK groups (e.g. Lazarus) employ legitimate services and multiple encryption methods across stages to complicate reverse engineering.
- Malware modularity (dynamic DLL loading / plug-in architecture) lets operators extend capabilities without overhauling core binaries.
- Recommended defences include in-memory scanning, updated threat intelligence, and monitoring of frequently targeted sectors.
Context and relevance
This development is part of a broader trend where state-sponsored actors improve obfuscation and anti-analysis techniques rather than dramatically change core functionality. For organisations in Asia-Pacific — especially South Korean government entities, defence, aerospace, finance and crypto firms — the change increases the effort required for detection and incident response. The report reinforces that many advanced persistent threats prefer layered, stable toolchains with occasional tweaks to stay ahead of defensive tooling.
Why should I read this?
Quick and blunt: if you look after security for organisations in South Korea or anyone in the sectors listed above, you need to know this one. Kimsuky isn’t inventing brand-new magic — they’re making their kit harder to catch. We’ve read the drill so you don’t have to: it’s a neat example of how simple delivery + layered obfuscation = trouble. Patch your detection gaps and check your in-memory scanning now.
Author’s take
Punchy and clear: this is a practical escalation in evasion, not a flashy new capability. For defenders it means doubling down on memory inspection and threat intel, and recognising that attackers increasingly hide in legitimate services and multi-stage encryption.