DPRK's Playbook: HttpTroy and New BLINDINGCAN Variant
Essential information
- Published
- 03/11/2025 10:19
- Modified
- 03/11/2025 11:05
- Tags
- 2025-11-03 backdoor blindingcan comebacker dprk espionage httptroy obfuscation remote access tool stealth
- Related entities
- 15 observables, 1 intrusion sets (apt), 3 malware, 1 others
Description
Recent investigations have uncovered two new toolsets from North Korean threat actors. Kimsuky deployed a new backdoor called HttpTroy, targeting a victim in South Korea through a VPN invoice-themed attack. The attack chain involves a dropper, a loader called MemLoad, and the HttpTroy backdoor, which provides extensive control over the compromised system. Lazarus introduced an upgraded version of its BLINDINGCAN remote access tool, targeting victims in Canada. The attack chain includes a new variant of Comebacker malware leading to the enhanced BLINDINGCAN. Both attacks demonstrate sophisticated obfuscation techniques, stealthy code, and layered approaches to evade detection. The toolsets showcase the DPRK's adaptive and evolving cyber capabilities, emphasizing the need for heightened cybersecurity measures.