Threat actors operating under the control of North Korea’s regime have demonstrated continued technical sophistication by introducing advanced malware toolsets designed to establish persistent backdoor access and remote control over compromised systems.
Recent findings have revealed that Kimsuky, known for orchestrating espionage campaigns, deployed HttpTroy, while the Lazarus APT group introduced an enhanced variant of BLINDINGCAN.
These developments underscore the ongoing evolution of state-sponsored cyber operations targeting organizations across multiple nations.
The attack campaigns reveal a carefully orchestrated approach, beginning with deceptive delivery mechanisms and progressing through multiple infection stages.
Each component within these malware chains serves a distinct purpose, from initial system compromise to establishing stealthy command-and-control communications.
The infrastructure supporting these operations utilizes sophisticated obfuscation techniques and layered encryption protocols, demonstrating a comprehensive understanding of modern defensive measures and detection systems.
.webp "Kimsuky and Lazarus Hacker Groups Unveil New Tools That Enable Backdoor and Remote Access 3")
Gendigital analysts identified the Kimsuky attack targeted a single victim in South Korea, initiated through a ZIP archive masquerading as a VPN invoice from a legitimate Korean security company.
The deception proved effective, as the innocuous-looking filename encouraged execution of a malicious screensaver file contained within.
The Lazarus operation, conversely, targeted two Canadian entities, incorporating newer techniques for concealing payload delivery and establishing service-based persistence mechanisms that evade traditional endpoint detection approaches.
The sophistication evident in these campaigns reflects distinct operational patterns attributed to each group.
Kimsuky’s attack leveraged Korean language-based social engineering and scheduled task naming conventions consistent with local antivirus software, creating plausible-sounding system activities.
Lazarus employed more complex service enumeration and dynamic registry manipulation, suggesting targeting of enterprise infrastructure where legitimate system services provide effective camouflage for malicious operations.
HttpTroy Infection Mechanism and Persistence Strategy
The Kimsuky campaign employed a three-stage infection chain beginning with a lightweight GO-based dropper containing three embedded files encrypted using XOR operations.
Upon execution, the dropper displays a deceptive PDF invoice while simultaneously establishing the backdoor infrastructure through COM server registration via regsvr32.exe.
The second stage, identified as Memload_V3, creates scheduled tasks mimicking AhnLab antivirus updates, repeating every minute to maintain persistence.
Gendigital researchers noted that HttpTroy represents the final payload, providing attackers with comprehensive control capabilities including file manipulation, screenshot capture, command execution with elevated privileges, and reverse shell deployment.
The backdoor communicates exclusively through HTTP POST requests, implementing two-layer obfuscation consisting of XOR encryption using key 0x56 followed by Base64 encoding.
This communication protocol allows attackers to receive commands formatted as simple “command parameter” structures while reporting execution status through specific identifiers, with successful operations confirmed through “ok” responses and failed attempts indicated through “fail” messages.
The malware’s architecture incorporates dynamic API hashing and runtime string reconstruction techniques, preventing static analysis while complicating detection mechanisms deployed by security organizations monitoring for known malware signatures and behavioral indicators.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
