North Korean hacking groups Kimsuky and Lazarus has intensified its cyber operations by developing new, sophisticated remote access backdoor tools. The new variants — HttpTroy and BLINDINGCAN — shows how these state-sponsored actors continue to refine their methods to evade detection and maintain long-term access to compromised systems.
Threat intelligence researchers have identified two distinct tools: Kimsuky's new HttpTroy backdoor and the Lazarus group's upgraded BLINDINGCAN variant. Both represent the next step in North Korea's cyber arsenal and are being used in targeted attacks against strategic targets in several countries.

Kimsuky campaign: social engineering and HttpTroy
The operation from Kimsuky targeted a specific victim in South Korea using a fake business communication. The attack chain began with a ZIP archive that pretended to be a VPN invoice. When the file was opened, it started a chain of malicious processes that eventually installed HttpTroy, a backdoor designed to give attackers full control over the system.
The initial infection exploited a slight Go-based dropper which displayed a legitimate PDF document to trick the user. It used simple XOR encryption (key 0x39) to decrypt its embedded payloads and then established persistence via a scheduled task that mimicked antivirus updates from AhnLab.
HttpTroy offers features to upload and download files, take screenshots, run commands, exfiltrate data, and erase traces. All communication is done via HTTP POST requests with XOR and Base64 obfuscation.

The Lazarus Group's updated BLINDINGCAN
At the same time, it was observed Lazarus Group carry out a parallel attack in Canada, where an improved version of The BLINDINGCAN remote access tool was used. Researchers also discovered a new Comebacker damage program which facilitated the delivery of BLINDINGCAN. This variant exhibits improved mechanisms for data collection and remote control, strengthening Lazarus' long-term espionage capabilities.
Both Kimsuky and Lazarus uses advanced methods to make analysis difficult, including API hashing, dynamic string reconstruction, and SIMD-based obfuscation. Their goal is clear: to hide activity and maintain access to high-priority systems for as long as possible.

Threat actors from North Korea continue to evolve
The two campaigns highlight a worrying development in how North Korean threat actors adapts to modern security solutions. By combining social engineering, customized malware, and multi-layered obfuscation, it continues Kimsuky and Lazarus to pose a significant global threat.
Security experts recommend several countermeasures:
- Be suspicious of unexpected email attachments, especially ZIP files.
- Remember that files with the .scr extension are executable programs.
- Keep security software and threat information up to date.
- Implement behavioral detection that can reveal suspicious processes after an intrusion.
The emergence of these new tools confirms the persistent and adaptive nature of Kimsuky and Lazarus. Their work underscores the importance of continuous threat analysis, advanced monitoring, and strong cybersecurity within all organizations.
The IT industry continues to monitor developments around North Korea cyber activities and their impact on both Nordic and global companies.








