Cybertech Europe 2026-IT Industry Official Media Partner
Subscribe

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
Contact us

Kimsuky and Lazarus behind new backdoor attacks

Cyberattack from Kimsuky and Lazarus – advanced threat actors targeting developers Cyberattack from Kimsuky and Lazarus – advanced threat actors targeting developers
The Kimsuky and Lazarus groups' attacks on developers and CI/CD environments.

North Korean hacking groups Kimsuky and Lazarus has intensified its cyber operations by developing new, sophisticated remote access backdoor tools. The new variants — HttpTroy and BLINDINGCAN — shows how these state-sponsored actors continue to refine their methods to evade detection and maintain long-term access to compromised systems.

Threat intelligence researchers have identified two distinct tools: Kimsuky's new HttpTroy backdoor and the Lazarus group's upgraded BLINDINGCAN variant. Both represent the next step in North Korea's cyber arsenal and are being used in targeted attacks against strategic targets in several countries.

An organizational chart titled 'Democratic People's Republic of Korea (DPRK, also called North Korea): Threat Actors under the Reconnaissance General Bureau.' The chart illustrates the connection between the Reconnaissance General Bureau and various cyber threat groups such as Alluring Pisces, Gleaming Pisces, Jumpy Pisces, Selective Pisces, Slow Pisces, and Sparkling Pisces, each with associated aliases.

Kimsuky campaign: social engineering and HttpTroy

The operation from Kimsuky targeted a specific victim in South Korea using a fake business communication. The attack chain began with a ZIP archive that pretended to be a VPN invoice. When the file was opened, it started a chain of malicious processes that eventually installed HttpTroy, a backdoor designed to give attackers full control over the system.

  • Maciek Szczesniak featured on IT-Branschen Wire Channel Magic Chats podcast banner
    Maciek Szczesniak appears on IT-Branschen Wire Channel Magic Chats, discussing leadership, innovation, digital transformation, and business services.
    SPONSORED

  • The IT industry Nordic technology media platform covering cybersecurity, cloud, AI, digital transformation, channel, MSP and enterprise IT news
    The IT industry is a leading Nordic technology media platform covering cybersecurity news, artificial intelligence, cloud computing, enterprise IT, digital transformation, managed services, channel partners, software development, telecommunications, data centers, IT infrastructure, technology leadership, business innovation, and emerging technologies. Through executive interviews, industry analysis, event coverage, thought leadership, product launches, vendor updates, and market insights, the IT industry connects technology decision-makers, CIOs, CISOs, CTOs, IT managers, MSPs, resellers, distributors, technology vendors, startups, and enterprise organizations across Sweden, Norway, Denmark, Finland, and Europe. Coverage includes cybersecurity trends, AI adoption, cloud strategy, enterprise software, networking, digital infrastructure, sustainability, compliance, governance, risk management, automation, data analytics, and future technology developments.
    OWN CONTENT

  • VORTIQ-X AI Governance helps companies transform AI into controllable and verifiable business value.
    VORTIQ-X is an AI Governance platform that helps organizations govern, verify, and create measurable business value from AI. The platform focuses on transparency, compliance, AI governance, and the effective use of AI in mission-critical processes.
    ADVERTISEMENT

  • Cybertech Europe 2026 cybersecurity conference in Rome with the IT industry as Official Media Partner
    Cybertech Europe 2026 is one of Europe's leading cybersecurity conferences, bringing together cybersecurity leaders, government officials, technology innovators, startups, investors, and enterprise decision-makers in Rome. The IT industry serves as an Official Media Partner, providing event coverage, executive interviews, industry insights, and cybersecurity news for Nordic and European audiences.
    ADVERTISEMENT

The initial infection exploited a slight Go-based dropper which displayed a legitimate PDF document to trick the user. It used simple XOR encryption (key 0x39) to decrypt its embedded payloads and then established persistence via a scheduled task that mimicked antivirus updates from AhnLab.

HttpTroy offers features to upload and download files, take screenshots, run commands, exfiltrate data, and erase traces. All communication is done via HTTP POST requests with XOR and Base64 obfuscation.

Memload_V3.

The Lazarus Group's updated BLINDINGCAN

At the same time, it was observed Lazarus Group carry out a parallel attack in Canada, where an improved version of The BLINDINGCAN remote access tool was used. Researchers also discovered a new Comebacker damage program which facilitated the delivery of BLINDINGCAN. This variant exhibits improved mechanisms for data collection and remote control, strengthening Lazarus' long-term espionage capabilities.

Both Kimsuky and Lazarus uses advanced methods to make analysis difficult, including API hashing, dynamic string reconstruction, and SIMD-based obfuscation. Their goal is clear: to hide activity and maintain access to high-priority systems for as long as possible.

command and control server.

Threat actors from North Korea continue to evolve

The two campaigns highlight a worrying development in how North Korean threat actors adapts to modern security solutions. By combining social engineering, customized malware, and multi-layered obfuscation, it continues Kimsuky and Lazarus to pose a significant global threat.

Security experts recommend several countermeasures:

  • Be suspicious of unexpected email attachments, especially ZIP files.
  • Remember that files with the .scr extension are executable programs.
  • Keep security software and threat information up to date.
  • Implement behavioral detection that can reveal suspicious processes after an intrusion.

The emergence of these new tools confirms the persistent and adaptive nature of Kimsuky and Lazarus. Their work underscores the importance of continuous threat analysis, advanced monitoring, and strong cybersecurity within all organizations.
The IT industry continues to monitor developments around North Korea cyber activities and their impact on both Nordic and global companies.

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
  • Maciek Szczesniak featured on IT-Branschen Wire Channel Magic Chats podcast banner
    Maciek Szczesniak appears on IT-Branschen Wire Channel Magic Chats, discussing leadership, innovation, digital transformation, and business services.
    SPONSORED

  • The IT industry Nordic technology media platform covering cybersecurity, cloud, AI, digital transformation, channel, MSP and enterprise IT news
    The IT industry is a leading Nordic technology media platform covering cybersecurity news, artificial intelligence, cloud computing, enterprise IT, digital transformation, managed services, channel partners, software development, telecommunications, data centers, IT infrastructure, technology leadership, business innovation, and emerging technologies. Through executive interviews, industry analysis, event coverage, thought leadership, product launches, vendor updates, and market insights, the IT industry connects technology decision-makers, CIOs, CISOs, CTOs, IT managers, MSPs, resellers, distributors, technology vendors, startups, and enterprise organizations across Sweden, Norway, Denmark, Finland, and Europe. Coverage includes cybersecurity trends, AI adoption, cloud strategy, enterprise software, networking, digital infrastructure, sustainability, compliance, governance, risk management, automation, data analytics, and future technology developments.
    OWN CONTENT

  • VORTIQ-X AI Governance helps companies transform AI into controllable and verifiable business value.
    VORTIQ-X is an AI Governance platform that helps organizations govern, verify, and create measurable business value from AI. The platform focuses on transparency, compliance, AI governance, and the effective use of AI in mission-critical processes.
    ADVERTISEMENT

  • Cybertech Europe 2026 cybersecurity conference in Rome with the IT industry as Official Media Partner
    Cybertech Europe 2026 is one of Europe's leading cybersecurity conferences, bringing together cybersecurity leaders, government officials, technology innovators, startups, investors, and enterprise decision-makers in Rome. The IT industry serves as an Official Media Partner, providing event coverage, executive interviews, industry insights, and cybersecurity news for Nordic and European audiences.
    ADVERTISEMENT