Analysis Summary

North Korean state-sponsored threat actors continue to demonstrate remarkable technical sophistication through their recent cyber-espionage operations. Two of the regime’s most prominent APT groups, Kimsuky and Lazarus, have introduced advanced malware families HttpTroy and an enhanced variant of BLINDINGCAN, respectively designed to establish stealthy persistence and maintain long-term remote access to compromised systems. These developments highlight the continuous evolution of North Korea’s cyber capabilities, combining technical precision with strategic targeting of entities across multiple nations for intelligence collection and operational advantage.

The Kimsuky campaign uncovered by Researcher analysts targeted a South Korean victim through a ZIP archive disguised as a VPN invoice from a legitimate security company. Once opened, the archive contained a malicious screensaver (.scr) file, which executed upon launch while displaying a decoy PDF document to distract the user. Behind the scenes, the infection chain unfolded through a three-stage process, starting with a GO-based dropper embedding encrypted payloads. The dropper utilized COM server registration (regsvr32.exe) to establish persistence, followed by a Memload_V3 module that created scheduled tasks imitating antivirus updates every minute. The final stage, HttpTroy, provided complete backdoor functionality, enabling command execution, file manipulation, screenshot capture, and reverse shell capabilities.

HttpTroy’s communication mechanism relies on HTTP POST requests protected by dual-layer obfuscation XOR encryption (key 0x56) followed by Base64 encoding to conceal its data exchanges with the command-and-control (C2) server. The backdoor interprets commands structured as “command parameter” instructions and sends responses such as “ok” or “fail” to report operation results. Its design also incorporates dynamic API hashing and runtime string reconstruction, techniques that hinder static analysis and evade conventional antivirus detection by preventing signature-based identification. This layered design emphasizes Kimsuky’s increasing focus on anti-detection strategies and precise system-level control.

Meanwhile, Lazarus Group’s campaign targeted two organizations in Canada using more intricate persistence and obfuscation methods. Their enhanced BLINDINGCAN variant employed service-based persistence, dynamic registry manipulation, and service enumeration techniques that blend malicious components with legitimate enterprise processes, effectively bypassing traditional endpoint defenses. Together, the Kimsuky and Lazarus operations demonstrate North Korea’s maturing cyber warfare framework combining deceptive social engineering, deep system exploitation, and advanced encryption-based evasion. These campaigns reinforce the urgent need for heightened monitoring, behavioral detection systems, and awareness of regionalized threat patterns associated with North Korean APT activity.

Impact

• Sensitive Data Theft
• Gain Access
• File Manipulation

Indicators of Compromise

Domain Name

• tronracing.com

IP

• 23.27.140.49
• 166.88.11.10

MD5

• 17ed62943568cb3ba5b858c26081a100

SHA-256

• 368769df7d319371073f33c29ad0097fbe48e805630cf961b6f00ab2ccddbb4c

SHA-1

• 9a06044008b1b2bc95664fead761d56c051b5d96

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Patch OS, browsers, PDF readers and security products immediately and keep them up to date.
• Enforce application allowlisting (only approved binaries can run) — block unknown .scr, .exe and unsigned binaries.
• Disable or restrict use of regsvr32.exe where possible; if needed, restrict to admin-only and monitor its use.
• Turn on least privilege: ensure users do not run with administrative rights for daily work.
• Block execution from common download locations (e.g., user Downloads, temp folders) and from archived attachments opened directly.
• Enforce strong authentication (MFA) for all remote access and critical admin accounts