North Korean APTs Upgrade Arsenal: Kimsuky Uses Stealthy HttpTroy, Lazarus Deploys New BLINDINGCAN RAT

Researchers at Gen Threat Labs have identified two new toolsets in active use by North Korean state-sponsored groups, underscoring the regime’s continued investment in advanced cyber-espionage and intrusion capabilities. The findings reveal the Kimsuky group deploying a stealthy new backdoor dubbed “HttpTroy”, while the notorious Lazarus Group has been observed using an upgraded variant of its BLINDINGCAN remote access tool (RAT).

Both campaigns, according to the report, “reveal the same underlying pattern: stealthy code and layered obfuscation.” The two DPRK-linked groups appear to be refining their toolchains for persistence, data theft, and covert command execution across global targets, including victims in South Korea and Canada.

The Kimsuky operation began with a phishing lure disguised as a VPN service invoice. The ZIP archive, titled “250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서”, contained an .scr executable that launched a multi-stage infection chain leading to the final HttpTroy backdoor.

Gen Threat Labs explains: “The Kimsuky attack targeted a single victim in KR and started with a ZIP file that looked like a VPN invoice, then quietly installed tools that let attackers move files, take screenshots and run commands.”

Stage 1: MemLoad_V3 Loader

The dropper contained three embedded files encrypted with XOR key 0x39. When executed, it displayed a decoy PDF — a fake VPN bill — while silently deploying the MemLoad_V3.dll loader via regsvr32.exe.

The loader had two functions:

• Persistence: It re-created a scheduled task called “AhnlabUpdate”, mimicking a legitimate antivirus task, and configured it to run every minute using the command regsvr32.exe /s <CURRENT_FILENAME>.
• Payload Decryption: It decrypted the final stage payload using RC4 encryption, executing the HttpTroy backdoor directly in memory.

Stage 2: The HttpTroy Backdoor

HttpTroy grants attackers full control over infected systems, supporting file transfers, command execution, reverse shells, screenshot capture, and process termination. The malware’s complexity lies in its evasion techniques — API calls are hidden behind custom hashing, and strings are obfuscated using XOR and SIMD instructions.

The report notes: “The backdoor avoids reusing API hashes and strings. Instead, it dynamically reconstructs them during runtime using varied combinations of arithmetic and logical operations, further complicating static analysis.”

Communications with the command-and-control (C2) server occur via HTTP POST requests, where all data is encrypted with XOR (0x56) and Base64 encoding. The backdoor can receive commands like down, exec, or shell, and reports status messages such as “ok”, “fail”, or “connect ok.”

In a parallel campaign, Lazarus Group was observed using a new version of its Comebacker dropper, leading to a re-engineered BLINDINGCAN RAT. Two infected hosts in Canada were caught mid-chain, where the malware had already bypassed initial access stages — likely through phishing emails.

The researchers found two Comebacker variants:

• A DLL sample executed as a Windows service (NetSvcInst_v1_Rundll32.dll), and
• An EXE sample (ssh.bin) launched through cmd.exe.

Despite differences in format, both variants performed the same operations: decrypting payloads, creating registry keys, and dropping the next-stage service DLL. Gen Threat Labs observed that “execution is gated by specific command-line arguments” (up45V3FR9ee9 for DLLs and 760H33ls9L5S for EXEs), ensuring stealth and control over activation.

The final payload, T_DLL64.dll, marks a major step forward in Lazarus’s malware engineering. This new BLINDINGCAN variant adds multi-layered encryption, runtime configuration, and expanded command support.

The malware begins by authenticating itself to its C2 server through a multi-step RSA-based handshake, followed by AES-encrypted communication. Once active, it can exfiltrate files, manipulate the filesystem, take screenshots, and even capture photos from connected webcams using COM interfaces.

According to the report, “The backdoor acts as a complete suite for attackers, offering them the possibility to perform any action they desire.”

The new BLINDINGCAN variant supports 27 unique commands, including:

• File exfiltration and secure deletion
• Command-line execution (via CreateProcessW and CreateProcessAsUserW)
• System enumeration (OS, MAC, CPU, locale info)
• Screenshot and webcam capture
• In-memory PE loading and configuration updates

The researchers confirmed that communications use AES-128-CBC encryption and MD5 integrity verification, combined with obfuscation layers of XOR and Base64 encoding.

Gen Threat Labs concludes: “Kimsuky and Lazarus continue to sharpen their tools, showing that DPRK-linked actors aren’t just maintaining their arsenals, they’re reinventing them.”

Related Posts:

• North Korean APT Group Kimsuky Targets Japanese Organizations with Stealthy Malware Campaign
• Kimsuky APT: New TTPs Revealed in Rapid7 Cybersecurity Report
• North Korean Cyber Espionage Group Kimsuky Exploits University Website in Watering Hole Attack
• Temptation from Money: Lazarus APT extended to cryptocurrencies
• ClickFix Unmasked: How North Korea’s Kimsuky Group Turned PowerShell into a Weapon of Psychological Deception