The HttpTroy backdoor is a newly discovered malware implant attributed to the North Korea-linked APT group Kimsuky, identified through a spear-phishing campaign targeting a single victim in South Korea. The attack begins with a phishing email containing a ZIP archive named to resemble a VPN invoice, which includes a SCR file that initiates a multi-stage infection chain. This chain consists of a small dropper, a loader called MemLoad, and the final backdoor, HttpTroy. The dropper is a Golang binary embedding three files, including a decoy PDF to distract the victim. MemLoad establishes persistence by creating a scheduled task named "AhnlabUpdate," impersonating the South Korean cybersecurity firm AhnLab, and decrypts and loads the HttpTroy DLL backdoor. HttpTroy provides attackers with extensive capabilities: uploading/downloading files, capturing screenshots, executing arbitrary commands with elevated privileges, in-memory execution of binaries, reverse shell access, process termination, and trace removal. Communication with the attacker’s C2 server occurs over HTTP POST requests to "load.auraria[.]org." The malware employs sophisticated obfuscation, including custom hashing for API calls, XOR and SIMD-based string obfuscation, and dynamic runtime reconstruction of API hashes and strings, complicating static analysis and detection. This campaign reflects a well-structured, stealthy infection chain designed to maintain long-term access and evade detection. The disclosure also references related DPRK-linked activity involving Lazarus Group deploying other advanced malware, underscoring the ongoing evolution of North Korean cyber threats. No known exploits or vulnerabilities were leveraged; initial access is assessed as phishing-based. The HttpTroy backdoor’s advanced persistence, stealth, and control capabilities make it a significant threat to targeted organizations.

For European organizations, the HttpTroy backdoor represents a significant risk due to its advanced stealth, persistence, and control capabilities. If deployed against European targets, it could lead to unauthorized access, data exfiltration, espionage, and disruption of critical systems. The malware’s ability to execute commands with elevated privileges and evade detection increases the risk of prolonged undetected compromise, potentially affecting confidentiality, integrity, and availability of sensitive information and systems. European entities involved in sectors similar to those targeted in South Korea—such as technology, government, defense, and critical infrastructure—may be particularly at risk. The impersonation of legitimate security software and use of multi-stage obfuscation complicate detection and response efforts. Additionally, the geopolitical tensions involving DPRK and Europe’s strategic partnerships with South Korea and allied nations could make certain European countries more attractive targets for such espionage campaigns. The lack of known exploits suggests that phishing remains the primary attack vector, emphasizing the importance of user awareness and email security. Overall, the threat could facilitate espionage, intellectual property theft, and operational disruption within European organizations if leveraged in the region.

European organizations should implement targeted defenses against sophisticated phishing and multi-stage malware infections like HttpTroy. Specific recommendations include: 1) Enhance email security by deploying advanced anti-phishing solutions capable of detecting malicious attachments and ZIP archives masquerading as legitimate documents; 2) Implement strict attachment and macro execution policies, including blocking or sandboxing suspicious SCR files and executables; 3) Deploy endpoint detection and response (EDR) tools with behavioral analysis to identify unusual scheduled tasks, process injections, and in-memory execution indicative of loaders like MemLoad and backdoors like HttpTroy; 4) Monitor for persistence mechanisms impersonating known security vendors (e.g., scheduled tasks named after AhnLab) and unusual network traffic to suspicious C2 domains; 5) Conduct regular user training focused on spear-phishing recognition, especially regarding unexpected invoices or VPN-related communications; 6) Employ network segmentation and least privilege principles to limit lateral movement and privilege escalation; 7) Maintain updated threat intelligence feeds to detect emerging IoCs and TTPs related to Kimsuky and similar actors; 8) Use application allowlisting to prevent execution of unauthorized binaries; 9) Regularly audit and harden scheduled tasks and services to detect unauthorized modifications; 10) Prepare incident response plans tailored to multi-stage, obfuscated malware infections to enable rapid containment and remediation.