According to Dark Reading, North Korean threat group Kimsuky has deployed a new backdoor called HTTPTroy against South Korean users in attacks observed last week. The attack chain starts with a zip archive containing a Windows screensaver file that displays a fake PDF invoice while loading malware in the background. HTTPTroy gives attackers full system access including file movement, screenshot capture, and command execution. Researchers from Gen and ESET analyzed the malware, noting it uses encryption, payload obfuscation, and memory-only execution to evade detection. This follows recent Kimsuky campaigns using password-protected zip files and AI-generated deepfakes targeting journalists and diplomats.
Sponsored content — provided for informational and promotional purposes.
The Evolution of North Korean Malware
Here’s the thing about HTTPTroy – it’s not some revolutionary new technology. Basically, it’s a straightforward improvement on existing tools that Kimsuky and their notorious cousins in the Lazarus group have been using for years. But that’s exactly what makes it interesting. These groups aren’t trying to reinvent the wheel every time – they’re making calculated, incremental improvements that make detection and analysis just difficult enough to matter.
They’re using legitimate services and Windows processes to hide their activities. They’re employing multiple layers of encryption at different stages of the attack chain. And they’re executing code directly in memory so it never touches the disk. It’s like they’re playing a game of “how many hoops can we make researchers jump through?” The answer, apparently, is “quite a few.”
Why North Korean Hackers Prefer Stability
Now here’s where it gets really interesting. Despite all these evasion techniques, researchers note that the core capabilities of these North Korean groups change surprisingly slowly. Peter Kálnai from ESET points out that stability and operational simplicity often trump continuous feature development for these attackers. They’d rather have tools that work reliably than constantly chase the latest shiny object.
Think about it from their perspective – they’re not commercial software developers trying to out-feature competitors. They’re state-sponsored actors with specific objectives. If their current tools get the job done with minimal fuss, why complicate things? This creates a weird dynamic where defenders are racing to catch up with increasingly sophisticated evasion techniques, but the actual malicious capabilities underneath might be more familiar than you’d expect.
What This Means for Defense
So how do you defend against groups that are both sophisticated and pragmatic? The obvious answer is better detection capabilities – specifically in-memory scanning since these threats increasingly avoid writing to disk. But there’s a bigger picture here. As Gen’s analysis shows, understanding attacker priorities and patterns matters just as much as detecting specific malware signatures.
These groups have shown remarkable creativity in their approach. They’ve even infiltrated hiring processes at Fortune 100 companies, placing North Korean IT workers inside target organizations. That’s next-level operational security thinking. Defenders need to think just as creatively about where and how these attacks might come – not just what the malware looks like when it arrives.
The game continues, but it’s not entirely stacked against defenders. Understanding that these groups value stability and simplicity gives us clues about where to focus our efforts. Sometimes the most dangerous threats aren’t the flashiest – they’re the ones that work reliably enough to keep coming back.
