DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant
Contents
DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant
In recent weeks, our Threat Labs researchers have uncovered two new toolsets that show just how adaptive the DPRK’s operations have become. Kimsuky, known for its espionage-style campaigns, deployed a new backdoor we’ve named HttpTroy, while Lazarus introduced an upgraded version of its BLINDINGCAN remote access tool.
Both attacks reveal the same underlying pattern: stealthy code and layered obfuscation. In this post, we’ll break down how these tools work, what they target and what defenders can learn from the latest moves inside the DPRK playbook.
Inside DPRK’s Latest Campaigns: How Kimsuky and Lazarus Refine Their Playbook
The Kimsuky attack targeted a single victim in KR and started with a ZIP file that looked like a VPN invoice, then quietly installed tools that let attackers move files, take screenshots and run commands. The chain has three steps: a small dropper, a loader called MemLoad, and the …
In recent weeks, our Threat Labs researchers have uncovered two new toolsets that show just how adaptive the DPRK’s operations have become. Kimsuky, known for its espionage-style campaigns, deployed a new backdoor we’ve named HttpTroy, while Lazarus introduced an upgraded version of its BLINDINGCAN remote access tool.
Both attacks reveal the same underlying pattern: stealthy code and layered obfuscation. In this post, we’ll break down how these tools work, what they target and what defenders can learn from the latest moves inside the DPRK playbook.
Inside DPRK’s Latest Campaigns: How Kimsuky and Lazarus Refine Their Playbook
The Kimsuky attack targeted a single victim in KR and started with a ZIP file that looked like a VPN invoice, then quietly installed tools that let attackers move files, take screenshots and run commands. The chain has three steps: a small dropper, a loader called MemLoad, and the …
IoC
http://166.88.11.10/upload/check.asp
https://tronracing.com/upload/check.asp
http://load.auraria.org/index.php
http://23.27.140.49/Onenote/index.asp
166.88.11.10
23.27.140.49
10c3b3ab2e9cb618fc938028c9295ad5bdb1d836b8f07d65c0d3036dbc18bbb4
e19ce3bd1cbd980082d3c55a4ac1eb3af4d9e7adf108afb1861372f9c7fe0b76
20e0db1d2ad90bc46c7074c2cc116c2c08a8183f3ac6f357e7ebee0c7cc02596
368769df7d319371073f33c29ad0097fbe48e805630cf961b6f00ab2ccddbb4c
c60587964a93b650f3442589b05e9010a262b927d9b60065afd8091ada7799fe
b5eae8de6f5445e06b99eb8b0927f9abb9031519d772969bd13a7a0fb43ec067
509fb00b9d6eaa74f54a3d1f092a161a095e5132d80cc9cc95c184d4e258525b
https://tronracing.com/upload/check.asp
http://load.auraria.org/index.php
http://23.27.140.49/Onenote/index.asp
166.88.11.10
23.27.140.49
10c3b3ab2e9cb618fc938028c9295ad5bdb1d836b8f07d65c0d3036dbc18bbb4
e19ce3bd1cbd980082d3c55a4ac1eb3af4d9e7adf108afb1861372f9c7fe0b76
20e0db1d2ad90bc46c7074c2cc116c2c08a8183f3ac6f357e7ebee0c7cc02596
368769df7d319371073f33c29ad0097fbe48e805630cf961b6f00ab2ccddbb4c
c60587964a93b650f3442589b05e9010a262b927d9b60065afd8091ada7799fe
b5eae8de6f5445e06b99eb8b0927f9abb9031519d772969bd13a7a0fb43ec067
509fb00b9d6eaa74f54a3d1f092a161a095e5132d80cc9cc95c184d4e258525b