HttpTroy Backdoor Masquerades as VPN Invoice in Targeted Cyberattack on South Korea

Researchers have identified a new backdoor named HttpTroy used in a targeted cyberattack against a victim in South Korea. Security analysts link the campaign to the APT group Kimsuky, which has been associated with North Korea and known for focused espionage operations.

The attackers delivered the malware through a realistic-looking VPN invoice. The invoice was packaged inside a ZIP file and written in Korean to increase the chance that the target would trust it. The ZIP contained an SCR file that appeared harmless but acted as the initial executable when opened.

When the SCR file ran, it launched a small Go-based loader. That loader decrypted additional components using a simple XOR routine before running them. This multi-stage process ZIP to SCR to Go loader helped the attack evade casual detection by automated scanners and security tools.

After the loader executed, the campaign installed the main HttpTroy backdoor and ensured persistence on the system. The attackers used regsvr32.exe to register a malicious COM server, making the payload appear as a normal Windows component. At the same time, a fake PDF invoice was displayed to the user so the infection continued without immediate suspicion.

Once active, HttpTroy provided operators with wide-ranging control over the compromised machine. The backdoor supported remote command execution, data collection, and communication with attacker-controlled servers. These capabilities are consistent with espionage-focused malware and allow attackers to steal information or move laterally inside a network.

The use of Korean-language social engineering combined with a lightweight, tailored loader shows an advanced approach to targeting. Presenting a VPN invoice in local language increased the chance of successful deception. The chosen delivery and persistence methods reduced the probability that an automated system would catch the entire attack chain at once.

There are several reasons this campaign is important. First, the new backdoor expands the known toolkit of the threat actor and suggests continued development of tailored malware. Second, the stealth techniques used make detection harder for defenders who rely only on signature-based scanners. Third, the targeted nature of the attack indicates that specific individuals or organizations were being watched and chosen for compromise.

Simple, practical steps can reduce the risk of similar attacks. Do not open unexpected ZIP attachments or run files that were not explicitly requested. Verify suspicious invoices or business documents through a separate communication channel, such as a phone call to a known number or the official service portal. Keep operating systems and endpoint security software updated to reduce exposure to known weaknesses.

Monitoring for specific signs can help detect an infection. Watch for unusual use of regsvr32.exe, unknown COM registrations, unexpected processes or new services, and unusual outbound network connections. If compromise is suspected, isolate the affected device, preserve system logs and forensic data, and contact an incident response provider for investigation.

Organizations should also report incidents to relevant national cyber authorities and share indicators with trusted security partners. Regular staff training on phishing recognition, routine backup of critical data, and tabletop exercises for incident response will improve readiness. Visibility into network traffic and endpoint behavior helps defenders spot anomalies earlier and reduce potential impact from targeted intrusions immediately.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news