North Korean hackers deploy new HttpTroy malware disguised as VPN invoice in targeted South Korea attack

A new cybersecurity report has revealed that a North Korea-linked hacking group known as Kimsuky has deployed a previously unknown backdoor, dubbed HttpTroy, in what experts believe to be a targeted spear-phishing campaign against a victim in South Korea.

According to analysts at Gen Digital, the attack involved a phishing email carrying a compressed ZIP attachment that appeared to contain a legitimate VPN invoice. Once opened, the file triggered a multi-stage malware infection chain, enabling the attackers to take remote control of the victim’s system, capture screenshots, and transfer files undetected.

Security researchers say the campaign showcases Kimsuky’s increasing technical sophistication and focus on stealth. The infection sequence began with a lightweight dropper written in Go (Golang), which contained several embedded files, including a decoy PDF document designed to make the attack appear harmless. The malware then loaded a second component known as MemLoad, responsible for maintaining persistence by creating a scheduled task under the name “AhnlabUpdate” — an apparent attempt to impersonate the South Korean cybersecurity firm, AhnLab.

Once fully deployed, the HttpTroy backdoor allowed for complete system access. Investigators found that the malware could upload and download files, execute system commands with administrator privileges, terminate processes, and even erase traces of its activity. The malicious software communicated with its remote command-and-control server via HTTP POST requests, a method that helps blend its traffic into ordinary web communication.

Researchers noted that HttpTroy employs several layers of obfuscation to avoid detection. Its code conceals API calls and strings through custom hashing and runtime reconstruction, meaning each new infection appears slightly different — a tactic that makes signature-based detection nearly impossible.

The campaign has raised concerns within the cybersecurity community about ongoing North Korean cyber-espionage activity. Kimsuky, also known as Velvet Chollima or Thallium, has a long history of intelligence-gathering operations targeting government, defense, and research institutions in South Korea, the United States, and Europe. The group’s latest actions underscore how state-sponsored hackers continue to adapt, using socially engineered lures and legitimate-looking documents to gain entry into critical networks.

In a related finding, Gen Digital also reported that another North Korean advanced persistent threat (APT) group, Lazarus, recently carried out an attack that led to the deployment of Comebacker and an updated version of BLINDINGCAN, a remote access trojan capable of data exfiltration and system control. Though the two operations were separate, analysts believe they reflect Pyongyang’s continued investment in cyber capabilities to collect intelligence and maintain geopolitical leverage.

Experts advise organizations — especially those operating in sensitive sectors — to increase vigilance against phishing attempts that mimic trusted corporate or government sources. Multi-factor authentication, employee training, and continuous monitoring for suspicious network activity remain key defenses.

While the exact scale of the HttpTroy campaign is unclear, its discovery reinforces a familiar pattern: North Korean hacking units refining their methods to remain steps ahead of conventional defenses.

FAQs

1. Who is the Kimsuky group?
Kimsuky is a North Korea-linked hacking group active since at least 2013. It conducts cyber-espionage operations targeting government, defense, and policy organizations, primarily in South Korea and allied nations.

2. What is HttpTroy malware?
HttpTroy is a backdoor program discovered in 2025 that allows attackers to remotely control infected systems, capture data, and run commands. It communicates with command servers via HTTP to hide in normal web traffic.

3. How was HttpTroy distributed?
The malware was spread through a phishing email containing a fake VPN invoice in a ZIP attachment. When opened, it launched multiple hidden processes that installed the backdoor.

4. How can users protect themselves from such threats?
Experts recommend verifying email attachments, keeping antivirus tools updated, using multi-factor authentication, and avoiding unsolicited invoices or security updates from unknown senders.

5. Are Kimsuky and Lazarus connected?
Both groups are believed to operate under the North Korean regime, but with separate missions. They occasionally share tools or infrastructure to enhance their cyber-espionage operations.