DPRK's Playbook: HttpTroy and New BLINDINGCAN Variant

SUMMARY :

Recent investigations have uncovered two new toolsets from North Korean threat actors. Kimsuky deployed a new backdoor called HttpTroy, targeting a victim in South Korea through a VPN invoice-themed attack. The attack chain involves a dropper, a loader called MemLoad, and the HttpTroy backdoor, which provides extensive control over the compromised system. Lazarus introduced an upgraded version of its BLINDINGCAN remote access tool, targeting victims in Canada. The attack chain includes a new variant of Comebacker malware leading to the enhanced BLINDINGCAN. Both attacks demonstrate sophisticated obfuscation techniques, stealthy code, and layered approaches to evade detection. The toolsets showcase the DPRK's adaptive and evolving cyber capabilities, emphasizing the need for heightened cybersecurity measures.

OPENCTI LABELS :

stealth,remote access tool,dprk,comebacker,backdoor,espionage,obfuscation,blindingcan,httptroy


AI COMMENTARY :

1. The Democratic People’s Republic of Korea (DPRK) has once again proven its capacity for sophisticated cyber operations by deploying two distinct toolsets in separate campaigns. These operations highlight the nation’s emphasis on stealth and layered attack chains, enabling threat actors to infiltrate target networks while minimizing detection. As geopolitical tensions escalate, understanding these developments has become crucial for organizations seeking to bolster their defenses against state-sponsored espionage.

2. Kimsuky’s deployment of the new HttpTroy backdoor illustrates a methodical approach to breaching high-value targets. The campaign begins with a VPN invoice–themed dropper that lures victims into executing malicious code. That dropper then delivers MemLoad, a lightweight loader designed to minimize forensic footprints before deploying HttpTroy. Once active, HttpTroy functions as a full-featured backdoor, granting attackers remote access to system resources, data exfiltration capabilities, and the ability to execute arbitrary commands under the cover of legitimate processes. This combination of dropper, loader, and backdoor demonstrates Kimsuky’s evolving tradecraft in espionage operations.

3. Meanwhile, the Lazarus group has introduced an upgraded variant of its BLINDINGCAN remote access tool in a campaign targeting Canadian organizations. The attack chain in this case begins with a revamped edition of the ComeBacker malware, which serves as the initial foothold. Upon successful compromise, ComeBacker stages the enhanced BLINDINGCAN implant, leveraging advanced obfuscation to cloak its activities from security products. This remote access tool grants the DPRK’s operators extensive control over compromised endpoints, enabling them to conduct reconnaissance, lateral movement, and data theft without raising alarms.

4. Both toolsets employ sophisticated obfuscation and stealth techniques designed to evade detection at every phase of the attack chain. Code injection, encrypted payloads, and custom packers obscure the inner workings of each component, while careful use of legitimate system utilities reduces anomalous behavior signatures. Layered delivery mechanisms—dropper to loader to main implant—further complicate incident response, as defenders must isolate and remediate multiple payloads across different environments. These tactics underscore an adaptive mindset that thrives on innovation and persistence.

5. The emergence of HttpTroy and the new BLINDINGCAN variant underscores the critical need for comprehensive cybersecurity strategies. Organizations should employ threat intelligence feeds to stay apprised of DPRK-linked indicator updates, deploy endpoint detection solutions tuned to identify anomalous process behavior, and enforce strict network segmentation to limit lateral movement. Regular security assessments and employee training on social engineering tactics, such as malicious invoice attachments, will also help stem the tide of future attacks from these nation-state adversaries.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


DPRK's Playbook: HttpTroy and New BLINDINGCAN Variant