DPRK's Playbook: HttpTroy and New BLINDINGCAN Variant
Nov. 3, 2025, 11:05 a.m.
Description
Recent investigations have uncovered two new toolsets from North Korean threat actors. Kimsuky deployed a new backdoor called HttpTroy, targeting a victim in South Korea through a VPN invoice-themed attack. The attack chain involves a dropper, a loader called MemLoad, and the HttpTroy backdoor, which provides extensive control over the compromised system. Lazarus introduced an upgraded version of its BLINDINGCAN remote access tool, targeting victims in Canada. The attack chain includes a new variant of Comebacker malware leading to the enhanced BLINDINGCAN. Both attacks demonstrate sophisticated obfuscation techniques, stealthy code, and layered approaches to evade detection. The toolsets showcase the DPRK's adaptive and evolving cyber capabilities, emphasizing the need for heightened cybersecurity measures.
Tags
Date
- Created: Nov. 3, 2025, 10:19 a.m.
- Published: Nov. 3, 2025, 10:19 a.m.
- Modified: Nov. 3, 2025, 11:05 a.m.
Indicators
- e19ce3bd1cbd980082d3c55a4ac1eb3af4d9e7adf108afb1861372f9c7fe0b76
- 509fb00b9d6eaa74f54a3d1f092a161a095e5132d80cc9cc95c184d4e258525b
- b5eae8de6f5445e06b99eb8b0927f9abb9031519d772969bd13a7a0fb43ec067
- c60587964a93b650f3442589b05e9010a262b927d9b60065afd8091ada7799fe
- 368769df7d319371073f33c29ad0097fbe48e805630cf961b6f00ab2ccddbb4c
- 10c3b3ab2e9cb618fc938028c9295ad5bdb1d836b8f07d65c0d3036dbc18bbb4
- 20e0db1d2ad90bc46c7074c2cc116c2c08a8183f3ac6f357e7ebee0c7cc02596
- 23.27.140.49
- 166.88.11.10
- http://tronracing.com/upload/check.asp
- http://load.auraria.org/index.php
- http://23.27.140.49/Onenote/index.asp
- http://166.88.11.10/upload/check.asp
- load.auraria.org
- tronracing.com
Attack Patterns
- BLINDINGCAN - S0520
- HttpTroy
- Comebacker
- Kimsuky, Lazarus
Additional Informations
- Canada