HttpTroy Backdoor

A North Korea-linked actor tracked as Kimsuky has been observed delivering a previously unseen backdoor, tracked as 'HttpTroy,' against a single target in South Korea. The disclosure did not include a timeline, but researchers report the intrusion began with a carefully crafted phishing package that impersonated a VPN invoice to trick the victim into opening the malicious archive.

Delivery And Initial Execution

The infection began with a ZIP archive that posed as an invoice for VPN equipment. Inside was a Windows SCR file that, when executed, launched an automated three-stage execution chain. The first stage is a small dropper implemented as a Golang binary. That dropper carries three embedded resources, one of which is a benign PDF shown to the user as a decoy so the malicious activity runs unnoticed in the background.

The Execution Chain

• Small Golang dropper (contains embedded decoy PDF and other payloads)
• Loader component named MemLoad
• Final DLL backdoor dubbed HttpTroy

Persistence And Loader Behavior

The loader, MemLoad, runs concurrently with the dropper and handles persistence and payload deployment. It creates a scheduled task labeled 'AhnlabUpdate' — an obvious attempt to mimic AhnLab to reduce suspicion — and uses that task to ensure the backdoor is loaded on a continuing basis. MemLoad is also responsible for decrypting and injecting the DLL backdoor into the host process space for execution.

Capabilities Provided By The Backdoor

• Upload and download arbitrary files to/from the victim host
• Capture screenshots of the desktop
• Execute commands with elevated privileges and spawn reverse shells
• Load and run executables directly in memory (fileless execution)
• Terminate processes and remove traces of activity

Command-and-Control And Network Behavior

HttpTroy communicates with its controller over plain HTTP by sending POST requests to a C2 domain identified as load.auraria.org. The use of HTTP POST makes network traffic blend with normal web traffic unless specifically profiled.

Anti-analysis And Obfuscation Techniques

The implant uses several layered obfuscation measures to frustrate static analysis and signature detection. Instead of hardcoding API names and strings, it hides API calls via custom hash routines and conceals textual artifacts with XOR and SIMD-style manipulations. Importantly, it does not reuse the same hashed values or string encodings — the malware reconstructs required API hashes and strings on the fly using varying arithmetic and logical operations, which increases the cost of reverse engineering and signature creation.

Attribution And Context

Behavioral indicators and targeting align the activity with Kimsuky. The attack appears to be a targeted spear-phish aimed at a South Korean recipient. The exact timing of the incident was not released by the researchers.

Conclusion

To detect and mitigate potential infections involving HttpTroy, organizations should closely monitor their systems for any suspicious scheduled tasks, particularly those masquerading as legitimate vendor updates. Network defenses should be configured to identify and flag HTTP POST communications directed at unknown or uncommon external domains, allowing deeper inspection of transmitted data when possible.

Security teams are also advised to restrict or block the execution of unexpected SCR files and unrecognized Golang binaries across endpoints. In addition, deploying robust endpoint protection solutions capable of identifying in-memory code execution and detecting anomalous process injection activity can significantly reduce the risk of compromise.