Full Report
The North Korea-linked threat actor known as Kimsuky has distributed a previously undocumented backdoor codenamed HttpTroy as part of a likely spear-phishing attack targeting a single victim in South Korea. Gen Digital, which disclosed details of the activity, did not reveal any details on when the incident occurred, but noted that the phishing email contained a ZIP file ("250908_A_HK이노션
Analysis Summary
# Incident Report: Kimsuky Spear-Phishing Campaign Deploying HttpTroy Backdoor
## Executive Summary
The North Korea-linked threat actor Kimsuky executed a highly targeted spear-phishing attack against a single victim in South Korea, deploying a novel backdoor named HttpTroy. The attack chain involved a multi-stage dropper system culminating in a sophisticated backdoor capable of full system compromise, file manipulation, and command execution. While the exact timing of the incident is unknown, the disclosure highlights the actor's use of advanced obfuscation techniques to evade detection during the post-exploitation phase.
## Incident Details
- Discovery Date: Not explicitly disclosed (Report published Nov 03, 2025)
- Incident Date: Unknown
- Affected Organization: Single victim in South Korea (Name not disclosed)
- Sector: Unspecified (Likely corporate/government given targeting methods)
- Geography: South Korea
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown
- **Vector:** Spear-phishing via email.
- **Details:** The victim received an email containing a ZIP file named `"250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip"`, masquerading as a VPN invoice (suggesting the victim may use Secuway SSL VPN). The ZIP contained a malicious SCR file.
### Execution & Infection Chain
- **Date/Time:** Immediately following user interaction (opening the SCR file).
- **Vector:** Execution of the SCR file initiated a multi-stage infection:
1. **Stage 1 (Dropper):** Execution of the SCR file launched a Golang binary containing three embedded files, including a decoy PDF displayed to the victim.
2. **Stage 2 (Loader):** Simultaneously, a loader named **MemLoad** was launched to establish persistence.
3. **Stage 3 (Backdoor):** MemLoad decrypted and executed the final payload, the **HttpTroy** backdoor as a DLL.
### Persistence
- **Date/Time:** Established by MemLoad.
- **Vector:** Creation of a scheduled task named **"AhnlabUpdate"** to mimic legitimate updates from the South Korean cybersecurity firm AhnLab.
### Lateral Movement
- **Details:** No specific lateral movement details were provided in the context, but the HttpTroy backdoor is capable of command execution and reverse shell, enabling post-exploitation activities.
### Data Exfiltration/Impact
- **Details:** The HttpTroy backdoor provides capabilities for file upload/download, capturing screenshots, and executing arbitrary commands with elevated privileges, indicating potential data theft and prolonged surveillance.
### Detection & Response
- **Details:** The activity was discovered and disclosed by Gen Digital. Response actions taken by the victim or external parties are not detailed in this summary.
## Attack Methodology
- **Initial Access:** Spear-phishing via malicious ZIP attachment containing a script (`.SCR`).
- **Persistence:** Scheduled Task named "AhnlabUpdate" (anti-forensics/impersonation).
- **Privilege Escalation:** Implied by the ability to execute commands with "elevated privileges."
- **Defense Evasion:**
* Multi-stage infection chain (dropper, loader, backdoor).
* Use of a decoy PDF to distract the user.
* Advanced obfuscation in HttpTroy (concealing API calls via custom hashing, strings obfuscated using XOR and SIMD instructions).
* Dynamic reconstruction of API hashes and strings at runtime to avoid static signature detection.
- **Credential Access:** Not explicitly detailed, but execution with elevated privileges suggests credential access might be a subsequent step.
- **Discovery:** Capability to recursively enumerate files/directories and collect system metadata.
- **Lateral Movement:** Implied via command execution and reverse shell capabilities.
- **Collection:** File enumeration, system metadata collection, process listing, taking screenshots, and capturing video from capture devices.
- **Exfiltration:** File upload capability via HTTP POST requests to the C2 server.
- **Impact:** Potential for complete system compromise and data exfiltration.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Potential exposure of sensitive data due to full system control, file access, and screenshot capability.
- **Operational:** Potential for data destruction or system manipulation via command execution.
- **Reputational:** Not disclosed, but compromise of a security-relevant entity often carries reputational risk.
## Indicators of Compromise
- **File Indicators:**
* Malicious ZIP file: `"250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip"`
* SCR file within the ZIP.
* Golang binary dropper.
* DLL Backdoor: "HttpTroy".
* Loader component: "MemLoad".
- **Network Indicators (C2 - Defanged):**
* `load.auraria[.]org` (communicates over HTTP POST)
- **Behavioral Indicators:**
* Creation of a scheduled task named "AhnlabUpdate".
* Dynamic API hashing/string reconstruction in memory.
## Response Actions
- **Containment:** (Not detailed in the article, but would typically involve isolating the affected host and blocking C2 communication).
- **Eradication:** (Not detailed, but would require removal of the scheduled task, MemLoad, and HttpTroy components).
- **Recovery:** (Not detailed, focused primarily on discovery).
## Lessons Learned
- **Targeted Lures:** Kimsuky continues to use highly contextual spear-phishing lures (e.g., VPN invoices) specific to potential victim environments.
- **Chained Malware:** The use of a three-stage infection chain (dropper -> loader -> backdoor) is effective for layering obfuscation and increasing resistance to quick analysis.
- **Advanced Evasion:** The implementation of dynamic reconstruction of API calls and strings represents a significant effort to subvert common static analysis techniques used by security vendors.
## Recommendations
- Enhance email security solutions to detect and block unusual attachments (like ZIP files containing scripts/binaries) originating from external sources.
- Implement mandatory application control and execution policies, especially against scripts launched from email attachments.
- Conduct proactive monitoring for suspicious scheduled tasks, particularly those attempting to impersonate known security products (e.g., "AhnlabUpdate").
- Ensure advanced endpoint detection and response (EDR) capabilities are in place to monitor in-memory execution and dynamic API calls, which are crucial for detecting HttpTroy's obfuscation defenses.