Threat researchers have uncovered sophisticated new malware toolsets deployed by North Korean-aligned threat groups Kimsuky and Lazarus, revealing an escalating arms race in targeted cyberattacks.
Kimsuky introduced HttpTroy, a heavily obfuscated backdoor, while Lazarus deployed an upgraded variant of its BLINDINGCAN remote access tool.
Both campaigns demonstrate advanced evasion techniques and multi-stage infection chains designed to penetrate and maintain persistent access to victim systems.
KimSuky’s HttpTroy Campaign Targets South Korea
Kimsuky’s attack chain centered on a Korean-language phishing lure disguised as a VPN invoice, distributed via a ZIP archive containing a malicious SCR file.
The infection unfolds across three stages: a lightweight Go dropper that decrypts embedded files using XOR with key 0x39, then registers the next-stage backdoor as a COM server with regsvr32.exe while displaying a fake PDF invoice to maintain user deception.
The intermediate stage, internally identified as MemLoad_V3, establishes persistence through a scheduled task named “AhnlabUpdate” deliberately mimicking Korean anti-virus software to avoid suspicion. The task executes every minute via regsvr32.exe and decrypts the final payload using RC4 encryption before loading it directly into memory.
The final HttpTroy backdoor grants attackers comprehensive system control, including file upload/download, screenshot capture, elevated-privilege command execution, reverse shell functionality, and loading memory-resident executables.
The backdoor employs multi-layered obfuscation through custom API hashing, XOR operations, and SIMD instructions, with strings and hashes dynamically reconstructed at runtime.
Communication occurs exclusively via HTTP POST requests to command-and-control servers, with all data encrypted using XOR (key 0x56) and then Base64-encoded.
Lazarus’s BLINDINGCAN Evolution Targets California
Lazarus demonstrated similar sophistication through its Comebacker dropper variants, capturing the attack chain mid-execution against two California victims.
The campaign deployed both DLL and EXE variants of Comebacker through Windows services and command-line execution, respectively, sharing identical functionality focused on payload decryption and service-based deployment.
The dropper employs dynamic API resolution, parameter validation gates, and selective registry manipulation to avoid detection.
It uses both HC256 stream cipher and RC4 encryption for different components, then deploys Compcat_v1.dll as a second-stage wrapper that decrypts and loads the final BLINDINGCAN payload into memory.
The new BLINDINGCAN variant represents a significant capability upgrade, supporting 27 distinct command functions including file exfiltration, secure deletion, process management, remote command execution, screenshot capture, and video capture device enumeration.
Authentication utilizes RSA-2048 key exchange followed by AES-128-CBC encryption for command communications. The malware implements sophisticated obfuscation through MD5-based integrity checking, offset-shifted token encryption, and extensive random padding in network traffic.
Defensive Measures
Organizations should block execution of SCR files, disable COM object registration, implement application whitelisting, and monitor for unusual scheduled tasks with suspicious naming patterns.
Network defenders must maintain vigilant monitoring for outbound HTTP POST traffic to known command-and-control infrastructure and implement behavioral detection for dynamic API resolution patterns and registry manipulation activities associated with DPRK-linked campaigns.
Indicators of compromise
new Comebacker variants: 509fb00b9d6eaa74f54a3d1f092a161a095e5132d80cc9cc95c184d4e258525b
b5eae8de6f5445e06b99eb8b0927f9abb9031519d772969bd13a7a0fb43ec067
Service binary: 368769df7d319371073f33c29ad0097fbe48e805630cf961b6f00ab2ccddbb4c
new BLINDINGCAN: c60587964a93b650f3442589b05e9010a262b927d9b60065afd8091ada7799fe
C2s:
hxxp[://]166[.]88[.]11[.]10/upload/check.asp
hxxps[://]tronracing[.]com/upload/check.asp
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
_imresizer.jpg?resize=1068,580&ssl=1&description=Kimsuky Lazarus hacking tools - Threat researchers have uncovered sophisticated new malware toolsets deployed by North Korean-aligned threat.){kind=link}