A new and dangerous backdoor has been released by a North Korean hacker campaign likely aimed at specific victims in South Korea.
The hackers cleverly disguised their malware as a routine VPN invoice to trick the target into opening it.
The deceptive VPN invoice attack
Kimsuky, the crew thought to be behind the latest threat, apparently has some ties to North Korea. Researchers say they launched HttpTroy in a spear-phishing email attack that targeted a single person in South Korea. The email had a ZIP file attached, hidden well enough that most security programs can’t spot it.
The file named “250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip,” disguised as a legitimate VPN quote. The use of a VPN-related lure is particularly clever, as VPNs are commonly used by international fans to access South Korean content, such as the latest K-Dramas on free streaming sites.
So, inside the archive was a sneaky SCR file. This is a screensaver file but can also run commands like an executable. Opening this file triggered the entire attack.
The infection chain had three clever steps. It started with a small dropper. This was a Golang binary that contained three embedded files.
One of these files was a decoy PDF document. It displayed a fake invoice to the victim. This was meant to avoid raising any suspicion while the malware installed itself in the background.
Gaining total control of the system
In the next stage, a loader called MemLoad established persistence on the infected computer by creating a scheduled task named “AhnlabUpdate.”
This name was a deliberate attempt to impersonate AhnLab (a well-known South Korean cybersecurity company). This trick helps the malware blend in with normal system activity, a technique that exploits the same “trusted entity” blind spots that make insider threats so dangerous. (Understanding these common vulnerabilities is key, as highlighted in our insider threats statistics.)
So, MemLoad then decrypted and executed the final payload. This was the HttpTroy backdoor. Once installed, HttpTroy gave the attackers extensive control over the victim’s system.
The backdoor’s capabilities are extensive. It can upload and download files freely. This can capture screenshots and execute commands with high-level privileges.
It also allows reverse shell access. This lets attackers directly control the computer remotely. They can also terminate processes and remove traces of their activity.
HttpTroy communicates with its command-and-control server. It uses HTTP POST requests to talk to a server at “load.auraria[.]org“. This helps it receive instructions and send stolen data.
Threat actors getting smarter with their tricks
It looks like those threat actors are getting craftier! Security researchers pointed out that this backdoor is pretty complex. Apparently, HttpTroy uses layers of trickery to make it harder to figure out what’s going on. API calls are hidden using custom hashing techniques.
Strings within the code are obfuscated. The malware uses a mix of XOR operations and SIMD instructions. This makes it very hard for security tools to detect its malicious intent.
Notably, the backdoor avoids reusing its tricks. It dynamically rebuilds API hashes and strings during runtime. It uses varied combinations of arithmetic and logical operations.
This approach significantly complicates static analysis. The campaign demonstrates a well-structured and multi-stage infection chain. Each component is designed to evade detection and maintain access.
Gen Digital, a global cybersecurity firm that disclosed this new backdoor details first, says Lazarus and Kimsuky aren’t just keeping their old tricks, they’re coming up with new ones. These hacking groups keep changing things up, always looking for fresh ways to break in. The use of custom encryption and dynamic methods highlights their continued technical evolution.
What does this mean for your daily digital life? This campaign is a perfect reminder to treat every unexpected attachment with extreme caution, especially those posing as invoices or quotes. Always verify through a separate channel before clicking. In cybersecurity, a healthy dose of skepticism is your best friend.
