North Korean hacking groups Kimsuky and Lazarus have stepped up their cyber operations by deploying new, more sophisticated remote access backdoors. The latest variants—HttpTroy and BLINDINGCAN—demonstrate how these state-sponsored actors continue refining techniques to evade detection and maintain persistent access to compromised systems.
Threat researchers have identified two distinct toolsets: Kimsuky’s new HttpTroy backdoor and an upgraded BLINDINGCAN variant used by Lazarus. Both represent the next phase of North Korea’s cyber arsenal and have been employed in targeted campaigns against strategic targets across multiple countries.
Kimsuky campaign: social engineering and HttpTroy
A Kimsuky operation targeted a specific organization in South Korea using a convincing fake business communication. The attack began with a ZIP archive purporting to be a VPN invoice. When opened, a chain of malicious processes executed that ultimately installed HttpTroy, a backdoor designed to give attackers full control over the infected host.
The initial infection used a lightweight Go-based dropper that displayed an apparently legitimate PDF to deceive the victim. The dropper employed simple XOR encryption (key 0x39) to decrypt embedded payloads and established persistence via a scheduled task that mimicked antivirus updates from AhnLab.
HttpTroy supports uploading and downloading files, taking screenshots, executing commands, exfiltrating data, and cleaning traces. All communication is conducted over HTTP POST requests and employs XOR and Base64 obfuscation to hinder analysis.
Lazarus Group’s updated BLINDINGCAN
At the same time, researchers observed the Lazarus Group carrying out a parallel operation in Canada using an enhanced variant of the BLINDINGCAN remote access tool. Investigators also discovered a new Comebacker malware family that facilitated BLINDINGCAN’s delivery. This variant shows improved data collection and remote control capabilities, strengthening Lazarus’s long-term espionage capacity.
Both Kimsuky and Lazarus employ advanced anti-analysis techniques, including API hashing, dynamic string reconstruction, and SIMD-based obfuscation. Their objective is clear: conceal malicious activity and maintain access to high-value systems for as long as possible.
North Korean threat actors continue to evolve
These two campaigns highlight a worrying trend in how North Korean threat actors adapt to modern defensive measures. By combining social engineering, customized malware, and multi-layered obfuscation, Kimsuky and Lazarus remain significant global threats.
Security professionals recommend several countermeasures:
- Be suspicious of unexpected email attachments, especially ZIP archives.
- Remember that files with a .scr extension are executable programs and can be malicious.
- Keep security software and threat intelligence feeds up to date.
- Implement behavioral detection capabilities to spot suspicious processes after initial compromise.
The emergence of these new tools underscores the persistent and adaptive nature of Kimsuky and Lazarus. Their continued activity reinforces the need for ongoing threat analysis, advanced monitoring, and robust cybersecurity practices across organizations.
The IT industry continues to monitor North Korea’s cyber activities and their impact on both regional and global businesses.