Gen Threat Labs details two DPRK-linked toolsets: Kimsuky’s newly named HttpTroy backdoor and a Lazarus chain using Comebacker to deploy a new BLINDINGCAN variant. The Kimsuky case targeted a victim in South Korea with a ZIP archive masquerading as a SecuwaySSL VPN invoice, executing a .scr dropper that showed a decoy PDF while registering a COM-based loader and a scheduled task named “AhnlabUpdate.” MemLoad_V3 decrypted and loaded HttpTroy in memory, giving operators file transfer, screenshot capture, command execution, process termination, trace removal, and HTTP POST C2 using XOR plus Base64 obfuscation. The Lazarus case targeted two victims in Canada, where Comebacker variants validated command-line parameters, decrypted payloads with HC256 and RC4, deployed a service DLL, and led toward BLINDINGCAN. The excerpt provides actionable indicators including SHA-256 hashes for the SCR, MemLoad_V3, and HttpTroy components, plus the C2 load.auraria.org/index.php.