According to Dark Reading, North Korean threat group Kimsuky has deployed a new backdoor called HTTPTroy against South Korean targets. The attack chain starts with a zip archive containing a Windows screensaver file that displays a fake Korean PDF invoice while loading malware in the background. Researchers from cybersecurity firm Gen analyzed the threat, which gives attackers complete system control including file movement, screenshot capture, and command execution. The backdoor uses encryption, payload obfuscation, and memory-only execution to evade detection. This follows recent Kimsuky campaigns using password-protected zip files and AI-generated deepfake photos targeting journalists and activists.
Sponsored content — provided for informational and promotional purposes.
Stealth is the name of the game
Here’s the thing about North Korean hacking groups – they’re not trying to reinvent the wheel. They’re taking what already works and making it harder to spot. HTTPTroy is basically an evolution of their existing tools, but with better hiding capabilities. It runs entirely in memory, meaning there’s no file left on disk for traditional antivirus to detect. And they’re using legitimate Windows processes and commercial encryption to blend in.
But the really clever part? They’re thinking beyond just technical tricks. One researcher mentioned they’ve seen North Korean IT workers actually getting hired by Fortune 100 companies. Imagine that – your new “colleague” from North Korea quietly working from inside your network. That’s next-level social engineering.
Why South Korea keeps getting hit
Look, this isn’t random. South Korean targets – government agencies, defense contractors, cryptocurrency firms – are consistently in the crosshairs. And it makes sense when you think about the geopolitical situation. These attacks aren’t about showing off technical prowess. They’re about gathering intelligence and, in some cases, generating revenue for the regime.
The pattern is pretty clear: start with something that looks legitimate (like that fake PDF invoice), get a foothold, then deploy increasingly sophisticated tools. And they’re patient. These groups will spend months or even years inside a network, slowly expanding access.
What defenders can do
So how do you fight back against something that doesn’t leave traditional footprints? The key is looking in the right places. As Gen’s research shows, you need security tools that can scan memory directly, not just files on disk. You also need good threat intelligence to understand these groups’ specific methods.
But here’s an interesting twist: even state-sponsored hackers get tired of the arms race. Researchers note that groups like Kimsuky and Lazarus actually prefer stability over constantly developing new features. Their core tools change slowly. That means once you understand their patterns, you can build defenses that work for longer periods.
The bottom line? These attacks are sophisticated but not unbeatable. They rely on people clicking suspicious files and systems not monitoring memory activity. Basic security hygiene combined with advanced detection capabilities can go a long way. After all, even the sneakiest backdoor needs someone to open that initial file.
