1. Home
  2. Software
  3. HTTPTroy

HTTPTroy

HTTPTroy is a highly obfuscated backdoor that facilitates collection, command and control, defense evasion and exfiltration. HTTPTroy was first reported in October 2025. HTTPTroy has been observed in operations attributed to DPRK-affiliated threat actors, including Kimsuky. HTTPTroy has been delivered to victims through a separate loader leveraged by Kimsuky.[1]

ID: S9007
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 April 2026
Last Modified: 23 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

HTTPTroy has leveraged the ability to execute commands with system privileges using the srun <EXECUTABLE> <ARGS> command.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

HTTPTroy has used HTTP POST requests to communicate with C2.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

HTTPTroy has the ability to generate a reverse shell using the command conn <IP_ADDRESS> <PORT>.[1]
Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

HTTPTroy has obfuscated HTTP POST request communications utilizing XOR with a designated key of 0x56, followed by Base64 encoding.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

HTTPTroy has decoded strings encoded with Base64 and XOR prior to execution.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

HTTPTroy has obfuscated request communications utilizing XOR encryption.[1]
Enterprise T1041 Exfiltration Over C2 Channel

HTTPTroy has exfiltrated encrypted data over the C2 channel using the up <FILENAME> command.[1]
Enterprise T1070 .004 Indicator Removal: File Deletion

HTTPTroy can terminate its running process and then remove traces of itself through the die <COMMAND> command.[1]
Enterprise T1105 Ingress Tool Transfer

HTTPTroy has the ability to download files from C2 using the down <FILENAME> command.[1]
Enterprise T1106 Native API

HTTPTroy has leveraged Windows Native API calls, including GetProcAddress to execute functions in memory.[1]
Enterprise T1027 Obfuscated Files or Information

HTTPTroy has obfuscated strings using Single Instruction Multiple Data (SIMD) instructions to hinder analysis and detection.[1]
.007 Dynamic API Resolution

HTTPTroy has utilized dynamic API resolution by reconstructing API calls during runtime using combinations of arithmetic and logical operations to complicate static analysis.[1]
Enterprise T1113 Screen Capture

HTTPTroy has obtained screen captures leveraging the screen command which captures, encrypts and uploads the stolen image to the adversary controlled C2 server.[1]

Groups That Use This Software

ID Name References
G0094 Kimsuky

[1]

References

  1. Alexndru-Cristian Bardas. (2025, October 30). DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant. Retrieved April 8, 2026.