HttpTroy is a backdoor associated with the North Korean threat actor Kimsuky, including activity linked to a Kimsuky-affiliated group identified as Larva-25004. It is described as the final payload in a multi-stage infection chain in which an initial dropper delivers the MemLoad loader, which then decrypts and reflectively loads HttpTroy into memory. Reported delivery includes phishing lures such as ZIP attachments disguised as South Korean VPN quotations and other social-engineering themes targeting South Korean users and organizations. Observed targeting includes South Korean public- and private-sector entities, including military, corporate, government, defense, medical, machinery, and energy-related sectors, with one report specifically noting attacks against a South Korean organization.
Documented capabilities include file upload and download, screenshot capture and exfiltration, command execution, in-memory loading or execution of executables, reverse shell access, process termination, and trace removal. The malware is intended to provide long-term access and support data exfiltration. Technical reporting states that HttpTroy is highly obfuscated, conceals API calls using custom hashing, reconstructs strings and API material at runtime, and communicates with command-and-control infrastructure over HTTP POST. One report states its C2 data is obfuscated with XOR using key 0x56 followed by Base64 encoding. Related reporting also links HttpTroy to C2 endpoints including load.auraria[.]org/index.php and file.bigcloud.n-e[.]kr/index.php. Additional reported IoCs include the mutexes a:fnjiuygredfgbbgfcvhutrv and u:fnjiuygredfgbbgfcvhutrv, and a user-agent string beginning with Mozilla/5.0 (Windows NT 10.0; Win64; x64) and Chrome/79.0.3945.130.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
HttpTroy, a backdoor delivered via a loader named MemLoad, allows file upload/download, screenshot capture, command execution, in-memory loading of executables, reverse shell, process termination, and trace removal.
15 distinct techniques documented for this family, organized by ATT&CK tactic.
“Given the nature of the filename, it is highly probable that the archive was distributed through a phishing email.”
HTTPSpy is a full-featured remote access trojan that supports a wide range of capabilities to run shell commands, upload/download files, execute processes, capture screenshots, inject DLL paths into specified PID processes, and erase itself from the endpoint.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
These attachments often consist of compressed files containing droppers in formats such as .JSE, .EXE, .PIF, or .SCR. The filenames are consistent with the message content and are meant to convince the recipient to open the attachment.
HTTPSpy is a full-featured remote access trojan that supports a wide range of capabilities to run shell commands, upload/download files, execute processes, capture screenshots, inject DLL paths into specified PID processes, and erase itself from the endpoint.
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
HttpMalice, the latest backdoor variant of PebbleDash, emerged no later than December 2025. It comes with capabilities to gather information about the compromised system, set up persistence, perform reconnaissance using native Windows commands, capture screenshots, load downloaded payloads into memory, run commands, and exfiltrate the execution output.
The content repeatedly describes threat actors, malware, and campaigns using HTTP, HTTPS, HTTP GET/POST, cookies in headers, WebSockets/WSS, and web APIs for command and control or related communications.
9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor delivered by MemLoad that supports file transfer, screenshots, command execution, in-memory execution of binaries, reverse shell access, process termination, and trace removal.
HttpTroy is a remote access trojan used by the Larva-25004 group (affiliated with Kimsuky) for espionage, providing complete control over infected systems, including file transfer, screenshot capture, and command execution. It uses advanced obfuscation, encryption, and persistence techniques.
A backdoor used by the DPRK-linked Kimsuky group for remote access and control.
DPRK-linked (Kimsuky) backdoor associated with espionage-style campaigns; described as stealthy with layered obfuscation and suspected phishing delivery.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.