S9007: HTTPTroy
HTTPTroy is a highly obfuscated backdoor that facilitates collection, command and control, defense evasion and exfiltration. HTTPTroy was first reported in October 2025. HTTPTroy has been observed in operations attributed to DPRK-affiliated threat actors, including Kimsuky. HTTPTroy has been delivered to victims through a separate loader leveraged by Kimsuky.[1]
Analyst context for executives and security teams
HTTPTroy matters because it is described by ATT&CK as a highly obfuscated Windows backdoor with collection, command-and-control, defense evasion, and exfiltration capabilities. For leaders, the practical issue is not just one malware name; it is whether the organization can see and respond to a stealthy post-compromise tool that blends into web traffic, runs commands, captures screens, transfers files, deletes evidence, and may exfiltrate data over its C2 channel.
Executive priority
Prioritize this as a validation case for Windows endpoint visibility, egress monitoring, and incident response readiness. Because ATT&CK provides no official detection logic, executives should ask whether SOC teams can prove coverage for the related behaviors: obfuscated payloads, command shell execution, UAC bypass attempts, web-based C2, encoded/encrypted C2 content, file transfer, screen capture, file deletion, and exfiltration over the same channel. This is also relevant to audit and compliance evidence where organizations must demonstrate monitoring of data exfiltration paths and privileged activity.
Technical view
HTTPTroy is listed for Windows and is related to techniques spanning obfuscation, dynamic API resolution, native API use, Windows Command Shell, UAC bypass, web-protocol C2, non-standard encoding, symmetric cryptography, ingress tool transfer, screen capture, file deletion, deobfuscation, and exfiltration over C2. SOC and IR teams should validate behavioral detection chains rather than rely on a single indicator: suspicious or newly introduced Windows binaries, obfuscated or packed content, runtime API resolution, child cmd.exe activity, integrity-level changes or UAC bypass patterns, outbound HTTP/S-like traffic with unusual encoding or encryption characteristics, downloaded tools/files, screenshot activity, and cleanup/delete behavior after execution.
Likely telemetry
- Windows endpoint process creation and parent-child process telemetry, especially cmd.exe launched by unusual binaries
- EDR telemetry for native API use, dynamic API resolution, memory behavior, and suspicious module/function resolution
- File creation, modification, transfer, deobfuscation/decoding, and deletion events on Windows hosts
- UAC, integrity level, privilege elevation, and local administrator activity telemetry
- Network proxy, firewall, DNS, and HTTP/S metadata for outbound web-protocol communications
Detection direction
- Do not treat ordinary HTTP/S traffic or cmd.exe use as sufficient evidence by itself; tune for combinations such as unusual Windows binary execution followed by command shell activity and outbound web communications.
- Validate whether endpoint tooling can surface obfuscated files, dynamic API resolution, native API-heavy execution, and deobfuscation behavior; these are common blind spots for static-only detection.
- Correlate file transfer, command execution, screen capture, and file deletion with the same process lineage or host session to distinguish malicious post-compromise behavior from administration activity.
- Review egress monitoring for web-protocol C2 patterns, but account for false positives from legitimate applications that use custom encoding, encryption, or frequent outbound web requests.
- Because ATT&CK provides no official detection text for HTTPTroy, use the related ATT&CK techniques as coverage requirements and supplement with vetted intelligence from the cited Gen Digital report.
Mitigation priorities
- Harden Windows endpoints with least privilege, reduced local administrator exposure, and controls that limit or alert on UAC bypass behavior.
- Use application control or execution policy controls to reduce execution of unknown, obfuscated, or newly delivered binaries where operationally feasible.
- Strengthen outbound network governance: restrict unnecessary egress, monitor web-protocol traffic, and retain proxy/DNS/firewall logs long enough for investigation.
- Ensure endpoint logging captures process lineage, file events, privilege changes, and deletion activity needed to reconstruct a stealthy backdoor session.
- Prepare IR playbooks for web-based C2 and exfiltration scenarios, including host isolation, memory and file preservation, credential review, and egress scoping.
Analyst notes and limits
ATT&CK states HTTPTroy was first reported in October 2025, has been observed in operations attributed to DPRK-affiliated threat actors including Kimsuky, and has been delivered through a separate loader leveraged by Kimsuky. This take uses that context only as supplied and focuses on defensive validation of the listed behaviors rather than attribution-based assumptions.
The official ATT&CK object does not provide detection guidance, aliases, labels, or object-level tactics, and it lists Windows as the platform. The relationship context identifies techniques used by the malware, but it does not provide full procedure detail, indicators, prevalence, or environment-specific detection fidelity. Local telemetry, malware analysis, and threat intelligence are required to confirm exposure and coverage.
HTTPTroy
HTTPTroy is a highly obfuscated backdoor that facilitates collection, command and control, defense evasion and exfiltration. HTTPTroy was first reported in October 2025. HTTPTroy has been observed in operations attributed to DPRK-affiliated threat actors, including Kimsuky. HTTPTroy has been delivered to victims through a separate loader leveraged by Kimsuky.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | HTTPTroy has the ability to download files from C2 using the `down |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | HTTPTroy has the ability to generate a reverse shell using the command `conn |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | HTTPTroy has obfuscated request communications utilizing XOR encryption.CitationGen Digital Kimsuky HTTPTroy October 2025 |
| Enterprise | T1027 | Obfuscated Files or Information | HTTPTroy has obfuscated strings using Single Instruction Multiple Data (SIMD) instructions to hinder analysis and detection.CitationGen Digital Kimsuky HTTPTroy October 2025 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | HTTPTroy has obfuscated HTTP POST request communications utilizing XOR with a designated key of 0x56, followed by Base64 encoding.CitationGen Digital Kimsuky HTTPTroy October 2025 |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | HTTPTroy has utilized dynamic API resolution by reconstructing API calls during runtime using combinations of arithmetic and logical operations to complicate static analysis.CitationGen Digital Kimsuky HTTPTroy October 2025 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | HTTPTroy has exfiltrated encrypted data over the C2 channel using the `up |
| Enterprise | T1113 | Screen Capture | HTTPTroy has obtained screen captures leveraging the `screen` command which captures, encrypts and uploads the stolen image to the adversary controlled C2 server.CitationGen Digital Kimsuky HTTPTroy October 2025 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | HTTPTroy has used HTTP POST requests to communicate with C2.CitationGen Digital Kimsuky HTTPTroy October 2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | HTTPTroy has decoded strings encoded with Base64 and XOR prior to execution.CitationGen Digital Kimsuky HTTPTroy October 2025 |
| Enterprise | T1106 | Native API | HTTPTroy has leveraged Windows Native API calls, including `GetProcAddress` to execute functions in memory.CitationGen Digital Kimsuky HTTPTroy October 2025 |
| Enterprise | T1070.004 | File Deletion Sub-technique | HTTPTroy can terminate its running process and then remove traces of itself through the `die |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | HTTPTroy has leveraged the ability to execute commands with system privileges using the `srun |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 74697c73acb3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Gen Digital Kimsuky HTTPTroy October 2025
Alexndru-Cristian Bardas. (2025, October 30). DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant. Retrieved April 8, 2026.
Open source URL -
[2]
mitre-attack S9007Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.