Threat Research

DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant

GenDigital
DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant

Threat Labs discovered two DPRK-linked campaigns: Kimsuky deployed a multi-stage chain ending in an obfuscated HttpTroy HTTP-based backdoor, while Lazarus used new Comebacker variants to deliver an upgraded BLINDINGCAN RAT with enhanced cryptography. Both campaigns use layered obfuscation, dynamic API resolution, and stealthy persistence mechanisms like scheduled tasks and services. #HttpTroy #BLINDINGCAN

Keypoints

  • Kimsuky campaign used a phishing-like ZIP (VPN invoice lure) containing a .scr Go dropper that decrypts three embedded files and displays a decoy PDF.
  • The Kimsuky chain includes a loader MemLoad_V3 that re-creates an “AhnlabUpdate” scheduled task for persistence and RC4-decrypts the final payload into memory.
  • HttpTroy backdoor provides file upload/download, screenshots, command execution, reverse shell, process termination, and communicates with C2 via XOR+Base64 over HTTP POST.
  • Lazarus campaign involved new Comebacker DLL/EXE droppers that validate parameters, decrypt embedded payloads (HC256/RC4), deploy a service DLL wrapper (Compcat_v1.dll) and load final PE into memory.
  • Final Lazarus payload is a new BLINDINGCAN variant with RSA and AES-128-CBC cryptography, complex C2 authentication, and a wide command set for reconnaissance, exfiltration, remote execution, and cleanup.
  • Both toolsets heavily employ dynamic API resolution, multiple ciphers (RC4, HC256, AES), custom obfuscation/hashing, and techniques to mimic legitimate files and services to evade detection.
  • Key defensive recommendations: avoid unexpected attachments, treat .scr as executable, keep security software updated, and monitor for listed IOCs and suspicious scheduled tasks/services behavior.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Used to execute commands and launch components (e.g., “regsvr32.exe /s ” and cmd.exe execution). Quote: ‘regsvr32.exe /s ‘
  • [T1105] Ingress Tool Transfer – Initial files were obtained via internet download packaged in a ZIP (phishing email likely). Quote: ‘packaged within a ZIP archive named “250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서”’
  • [T1218] Signed Binary Proxy Execution (Regsvr32) – The dropper registers and executes DLLs via regsvr32 to run payloads. Quote: ‘registering the next stage backdoor as a COM server using “regsvr32.exe”’
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – MemLoad_V3 re-creates a scheduled task “AhnlabUpdate” for persistence and repeats every minute. Quote: ‘re-creates a scheduled task named “AhnlabUpdate”’
  • [T1543.002] Create or Modify System Process: Windows Service – Comebacker selects a service name, installs and starts a service to run the payload. Quote: ‘registers and starts a service using the randomly selected name’
  • [T1055] Process Injection – Final payloads are decrypted and loaded directly into memory (MemLoad and Compcat_v1.dll memory mapping). Quote: ‘the payload is loaded directly into memory’
  • [T1027] Obfuscated Files or Information – Multiple layers of obfuscation, custom hashing of API calls, XOR/SIMD string obfuscation and varied runtime reconstruction. Quote: ‘API calls are concealed using custom hashing techniques… strings are obfuscated through a combination of XOR operations and SIMD instructions.’
  • [T1041] Exfiltration Over C2 Channel – HttpTroy and BLINDINGCAN exfiltrate data and results via HTTP(S) requests with XOR+Base64 and AES-encrypted payloads. Quote: ‘The HttpTroy backdoor communicates with its command-and-control server exclusively via HTTP POST requests.’
  • [T1113] Screen Capture – HttpTroy and BLINDINGCAN can capture and exfiltrate screenshots. Quote: ‘Screenshot capture and exfiltration’
  • [T1486] Data Encrypted for Impact (secure delete/cleanup) – BLINDINGCAN supports secure file deletion and self-removal to remove traces. Quote: ‘Securely delete a file by overwriting it and renaming it multiple times’ and ‘securely deletes itself and terminates itself’

Indicators of Compromise

  • [File Hash ] Kimsuky dropper and components – e19ce3bd1cbd980082d3c55a4ac1eb3af4d9e7adf108afb1861372f9c7fe0b76 (SCR), 20e0db1d2ad90bc46c7074c2cc116c2c08a8183f3ac6f357e7ebee0c7cc02596 (Memload_V3), 10c3b3ab2e9cb618fc938028c9295ad5bdb1d836b8f07d65c0d3036dbc18bbb4 (HttpTroy)
  • [File Hash ] Lazarus Comebacker / BLINDINGCAN – 509fb00b9d6eaa74f54a3d1f092a161a095e5132d80cc9cc95c184d4e258525b, b5eae8de6f5445e06b99eb8b0927f9abb9031519d772969bd13a7a0fb43ec067 (Comebacker variants); 368769df7d319371073f33c29ad0097fbe48e805630cf961b6f00ab2ccddbb4 (service binary); c60587964a93b650f3442589b05e9010a262b927d9b60065afd8091ada7799fe (new BLINDINGCAN)
  • [Domain / URL ] C2 endpoints – hxxp[://]load[.]auraria[.]org/index[.]php (HttpTroy C2); hxxp[://]166[.]88[.]11[.]10/upload/check.asp, hxxps[://]tronracing[.]com/upload/check.asp, hxxp[://]23[.]27[.]140[.]49/Onenote/index.asp (BLINDINGCAN/Comebacker C2s)
  • [File Name / Paths ] Dropped filenames and artifacts – “250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서” ZIP and .scr decoy; C:ProgramDatacomms.bin, C:ProgramDataCommsssh.bin, C:Windowssystem32.dll and kjepl.xml
  • [Mutex ] Runtime mutexes – a:fnjiuygredfgbbgfcvhutrv and u:fnjiuygredfgbbgfcvhutrv (used by HttpTroy)

Read more: https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint