NikiTeaR (Malware Family)

NikiTeaR

NikiTeaR is a sophisticated, custom-developed RAT, which is a rewritten variant of the NikiHTTP (aka NikiTea) RAT.

It supports the following commands:

- srun <EXEC> <ARGS>: Executing arbitrary commands with elevated privileges.
- up/down <FILENAME>: Performing remote file operations (upload/download).
- screen: Capturing screenshots for reconnaissance.
- conn <IP_ADDRESS> <PORT>: Establishing a reverse shell
- memload <EXPORT>: Loading additional DLL into memory.
- die <COMMAND>: Terminates the process and remove trace

It is delivered via a multi-staged execution chain, beginning with a Golang-based dropper that executes a loader, a DLL with the internal name MemLoad_V3.dll, capable of loading DLL reflectively.

Its internal DLL name is httptroy_dll.dll.

To resist analysis, the backdoor is heavily obfuscated; it utilizes custom hashing to conceal Windows API calls, and employs a combined Base64+XOR encryption for C&C traffic and internal character strings, which are dynamically reconstructed at runtime.

References

2025-10-30 ⋅ Gen Digital ⋅ Alexandru-Cristian Bardaș
DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant
ComeBacker DRATzarus NikiTeaR

2025-10-18 ⋅ Twitter (@ThreatrayLabs) ⋅ Threatray Labs
Tweet on Kimsuky activity with loaders delivering HttpSpy and HttpTroy
NikiTeaR

There is no Yara-Signature yet.

NikiTeaR Propose Change

References

NikiTeaR