Kimsuky HttpTroy spear-phishing campaign targeting South Korea
Campaign
Summary
Hide ▲
Show ▼
A Kimsuky spear-phishing operation delivered HttpTroy to a single victim in South Korea, giving the attackers a multi-stage path to remote control and persistence. The lure used a ZIP file disguised as a VPN invoice, which helped hide the malicious payload from the target. The chain enabled file transfer, screenshot capture, and arbitrary command execution over HTTP POST to load.auraria[.]org. The operation matters because it combines social engineering, stealthy persistence, and a fully featured backdoor into one intrusion path.
Related Happenings
Konni blockchain developer targeting campaign with AI-generated PowerShell malware
Campaign
First: 24.01.2026 17:23
Last: 24.01.2026 17:23
Sources 1
About this happening:
**Konni (Opal Sleet, TA406)** is running an **active campaign** that uses **AI-generated PowerShell malware** to target **developers and engineers in the blockchain sector**, with...
Konni blockchain developer targeting campaign with AI-generated PowerShell malware
CampaignAbout this happening: **Konni (Opal Sleet, TA406)** is running an **active campaign** that uses **AI-generated PowerShell malware** to target **developers and engineers in the blockchain sector**, with...
Kimsuky HttpTroy backdoor activity against South Korean users
Malware Activity
First: 05.11.2025 04:00
Last: 05.11.2025 04:00
Sources 1
About this happening:
**Kimsuky** has deployed the **HttpTroy** backdoor against **South Korean users**, expanding a multi-stage infection chain that is designed to evade detection. The malware gives o...
Kimsuky HttpTroy backdoor activity against South Korean users
Malware ActivityAbout this happening: **Kimsuky** has deployed the **HttpTroy** backdoor against **South Korean users**, expanding a multi-stage infection chain that is designed to evade detection. The malware gives o...
BO Team phishing campaign targeting Russian companies with password-protected RAR archives
Campaign
First: 26.09.2025 15:45
Last: 26.09.2025 15:45
Sources 1
About this happening:
**BO Team** ran an **early September 2025** phishing campaign that targeted **Russian companies** and used **password-protected RAR archives** to deliver backdoor payloads. The op...
BO Team phishing campaign targeting Russian companies with password-protected RAR archives
CampaignAbout this happening: **BO Team** ran an **early September 2025** phishing campaign that targeted **Russian companies** and used **password-protected RAR archives** to deliver backdoor payloads. The op...
ScarCruft Operation HanKook Phantom phishing campaign targeting South Korean researchers
Campaign
First: 01.09.2025 11:26
Last: 01.09.2025 11:26
Sources 1
About this happening:
A **ScarCruft (APT37)** phishing operation called **Operation HanKook Phantom** is targeting **South Korean academics, former officials, and researchers** with a **RokRAT** infect...
ScarCruft Operation HanKook Phantom phishing campaign targeting South Korean researchers
CampaignAbout this happening: A **ScarCruft (APT37)** phishing operation called **Operation HanKook Phantom** is targeting **South Korean academics, former officials, and researchers** with a **RokRAT** infect...
RokRAT malware activity on Windows hosts
Malware Activity
First: 01.09.2025 11:26
Last: 01.09.2025 11:26
Sources 1
About this happening:
The **RokRAT** malware is being delivered through **malicious LNK** and **PowerShell** chains, giving operators control over infected Windows hosts and enabling **cloud-based exfi...
RokRAT malware activity on Windows hosts
Malware ActivityAbout this happening: The **RokRAT** malware is being delivered through **malicious LNK** and **PowerShell** chains, giving operators control over infected Windows hosts and enabling **cloud-based exfi...
Timeline
-
03.11.2025 12:42 2 articles · 6mo ago
Kimsuky spear-phishing campaign delivers HttpTroy to a victim in South Korea
Initial DisclosureA Kimsuky spear-phishing campaign targeted a single victim in South Korea with a ZIP attachment disguised as a VPN invoice, delivering the previously undocumented HttpTroy backdoor through a small dropper and the MemLoad loader; the chain set up persistence with a scheduled task named AhnlabUpdate and enabled file transfer, screenshot capture, arbitrary command execution, and HTTP POST communication with load.auraria[.]org.
Show sources
- New HttpTroy Backdoor Poses as VPN Invoice in Targeted Cyberattack on South Korea — thehackernews.com — 03.11.2025 12:42
- New HttpTroy Backdoor Poses as VPN Invoice in Targeted Cyberattack on South Korea — thehackernews.com — 03.11.2025 12:42