CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

HttpTroy Backdoor Deployed in Targeted South Korean Cyberattack

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The North Korea-linked threat actor Kimsuky distributed a new backdoor named HttpTroy in a targeted spear-phishing attack against a South Korean entity. The attack involved a ZIP file disguised as a VPN invoice, which contained a multi-stage malware chain. HttpTroy enables file transfers, screenshot capture, command execution, and other malicious activities. The malware uses advanced obfuscation techniques to evade detection. The attack was detected by Gen Digital, which did not specify the exact timeline of the incident. The initial vector is suspected to be a phishing email, as no known vulnerabilities were exploited. The malware communicates with a command-and-control server over HTTP POST requests. The attack chain includes a dropper, a loader (MemLoad), and the final backdoor (HttpTroy). The ZIP file contained a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. HttpTroy supports a wide range of remote actions and increases stealth by encrypting its communications, obfuscating payloads, and executing code in memory. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection.

Timeline

  1. 03.11.2025 12:42 2 articles · 7d ago

    HttpTroy Backdoor Deployed in Targeted South Korean Cyberattack

    The attack involved a ZIP file containing a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. The article also highlights the advanced obfuscation techniques used by HttpTroy to evade detection and the broader campaign by North Korean state-sponsored groups targeting various sectors. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Iranian APT Phishing Campaign Targets US Think Tanks

Between June and August 2025, an Iranian advanced persistent threat (APT) group, tentatively named UNK_SmudgedSerpent, conducted targeted phishing attacks against prominent US think tanks and policy experts. The campaign impersonated influential figures in US foreign policy, including Suzanne Maloney and Patrick Clawson, to steal credentials and deploy remote monitoring and management (RMM) software. The group's tactics, techniques, and procedures (TTPs) overlapped with multiple known Iranian APTs, suggesting possible reorganization or collaboration within Iranian cyber operations. The phishing attempts involved impersonating key figures in US policy discussions on Iran, using tailored emails to lure targets into clicking malicious links. The group used a combination of techniques reminiscent of multiple Iranian APTs, including TA453 (Charming Kitten) and TA455 (Smoke Sandstorm), and deployed RMM software, a tactic previously associated with TA450 (MuddyWater). The campaign targeted over 20 subject matter experts at a U.S.-based think tank and used decoy documents and zip files containing RMM installers. The attackers also impersonated prominent U.S. foreign policy figures associated with think tanks like Brookings Institution and Washington Institute, and used spoofed login pages to harvest Microsoft account credentials. The group's activity was observed to have paused, but concerns persist due to the tactical overlap with known Iranian APTs. The group's tactics and infrastructure suggest possible personnel movement or shared infrastructure procurement between Iranian contracting outfits.

Open in new tab

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. The campaign began with spear phishing emails themed around diplomatic meetings and conferences. The malicious LNK files exploit ZDI-CAN-25373, a Windows shortcut vulnerability disclosed in March 2025. The LNK file invokes PowerShell with an obfuscated command that decodes a tar archive file named rjnlzlkfe.ta. The tar archive contains three critical files that enable the attack chain through DLL side-loading. The malware includes a legitimate Canon printer assistant utility with an expired digital signature. The second file, cnmpaui.dll, serves as a lightweight loader designed to decrypt and execute the PlugX payload. PlugX is a RAT that provides comprehensive remote access capabilities including command execution, keylogging, file upload and download operations, persistence establishment, and extensive system reconnaissance functions.

Open in new tab

Lazarus Group Deploys Multiple RATs in DeFi Sector Campaign

The Lazarus Group, a North Korea-linked threat actor, has expanded its operations to target European defense companies in 2025, leveraging a coordinated Operation DreamJob campaign. The attack involved fake recruitment lures and the deployment of various malware, including the ScoringMathTea RAT. This campaign follows earlier attacks on a decentralized finance (DeFi) organization in 2024, where the group deployed multiple cross-platform malware variants, including PondRAT, ThemeForestRAT, and RemotePE. The initial 2024 attack began with social engineering on Telegram and fake scheduling websites, leading to the compromise of an employee's system. The attackers used various tools for discovery, credential harvesting, and proxy connections, eventually transitioning to stealthier RATs. The impact of the attack includes the compromise of employee systems and potential data exfiltration. The use of multiple RATs indicates a sophisticated and multi-stage attack strategy aimed at high-value targets. The 2025 campaign targeted three European firms involved in drone development, using trojanized open-source applications and manipulated GitHub projects to deliver malware. The attacks coincide with North Korean support for Russian operations in Ukraine, suggesting an effort to gather intelligence on Western-made drones. The campaign began in late March 2025 and involved the use of a trojanized PDF reader to deliver malware. The campaign could be focused on collecting information on weapon systems deployed in Ukraine, as well as gathering information to perfect designs and processes. At least two of the victims are heavily involved in the development of UAV technology, with one making critical drone components and the other building UAV-related software.

Open in new tab

XenoRAT malware campaign targets embassies in South Korea

A state-sponsored espionage campaign, attributed to North Korean threat actors, has been targeting foreign embassies and defense-related institutions in South Korea since March 2025 to deploy XenoRAT malware. The campaign, which has launched at least 19 spearphishing attacks, uses highly contextual and multilingual lures to deliver malicious payloads via GitHub and cloud storage services. The latest attack involved deepfakes of South Korean military identification documents, targeting journalists, researchers, and human-rights activists with themes related to sensitive topics. The campaign's infrastructure and techniques match those of North Korean actor Kimsuky (APT43), but some indicators suggest possible Chinese involvement. The malware, XenoRAT, is a powerful trojan capable of logging keystrokes, capturing screenshots, accessing webcams and microphones, performing file transfers, and facilitating remote shell operations. It is loaded directly into memory and obfuscated to maintain a stealthy presence on infected systems.

Open in new tab