SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nikitear (Back to overview)

NikiTeaR

Actor(s): Kimsuky

VTCollection    

NikiTeaR is a sophisticated, custom-developed RAT, which is a rewritten variant of the NikiHTTP (aka NikiTea) RAT.

It supports the following commands:

- srun <EXEC> <ARGS>: Executing arbitrary commands with elevated privileges.
- up/down <FILENAME>: Performing remote file operations (upload/download).
- screen: Capturing screenshots for reconnaissance.
- conn <IP_ADDRESS> <PORT>: Establishing a reverse shell
- memload <EXPORT>: Loading additional DLL into memory.
- die <COMMAND>: Terminates the process and remove trace

It is delivered via a multi-staged execution chain, beginning with a Golang-based dropper that executes a loader, a DLL with the internal name MemLoad_V3.dll, capable of loading DLL reflectively.

Its internal DLL name is httptroy_dll.dll.

To resist analysis, the backdoor is heavily obfuscated; it utilizes custom hashing to conceal Windows API calls, and employs a combined Base64+XOR encryption for C&C traffic and internal character strings, which are dynamically reconstructed at runtime.

References
2025-10-30Gen DigitalAlexandru-Cristian Bardaș
DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant
ComeBacker DRATzarus NikiTeaR
2025-10-18Twitter (@ThreatrayLabs)Threatray Labs
Tweet on Kimsuky activity with loaders delivering HttpSpy and HttpTroy
NikiTeaR
Yara Rules
[TLP:WHITE] win_nikitear_auto (20260504 | Detects win.nikitear.)
rule win_nikitear_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.nikitear."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nikitear"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 448bd9 48bbb301000000010000 0f1f4000 660f1f840000000000 410fbe0a 8bd1 80e941 }
            // n = 7, score = 100
            //   448bd9               | test                al, al
            //   48bbb301000000010000     | test    ebp, ebp
            //   0f1f4000             | cmovns              eax, ebp
            //   660f1f840000000000     | sar    eax, 1
            //   410fbe0a             | je                  0x106d
            //   8bd1                 | nop                 dword ptr [eax]
            //   80e941               | inc                 ebx

        $sequence_1 = { 488d1567250200 b903000000 4c8d0553250200 e8???????? 488bd3 8bcf }
            // n = 6, score = 100
            //   488d1567250200       | in                  al, 0x9c
            //   b903000000           | bnd retf            
            //   4c8d0553250200       | test                ecx, ecx
            //   e8????????           |                     
            //   488bd3               | je                  0x1442
            //   8bcf                 | movzx               eax, byte ptr [ebp + ecx - 0x2f]

        $sequence_2 = { 4833d8 490fafde 4983e901 75d9 488bcb e8???????? 488d55b0 }
            // n = 7, score = 100
            //   4833d8               | shr                 eax, 3
            //   490fafde             | mov                 dword ptr [esp + 0x50], eax
            //   4983e901             | mov                 ecx, eax
            //   75d9                 | mov                 dword ptr [esp + 0x38], eax
            //   488bcb               | mov                 eax, edx
            //   e8????????           |                     
            //   488d55b0             | je                  0xf2d

        $sequence_3 = { 4883ec60 488b05???????? 4833c4 488945f8 33db 48895dd0 4c8d05da5e0300 }
            // n = 7, score = 100
            //   4883ec60             | add                 eax, dword ptr [ecx + esi*4 + 0x1004]
            //   488b05????????       |                     
            //   4833c4               | sar                 eax, 0x10
            //   488945f8             | test                al, 6
            //   33db                 | jne                 0x507
            //   48895dd0             | cmp                 dword ptr [ecx + 0x10], 0
            //   4c8d05da5e0300       | jle                 0x507

        $sequence_4 = { 30440db9 48ffc1 4883f910 72ed 0fb645b9 }
            // n = 5, score = 100
            //   30440db9             | dec                 esp
            //   48ffc1               | mov                 dword ptr [ebp], esp
            //   4883f910             | mov                 dword ptr [ebp + 0x30], 0x68
            //   72ed                 | dec                 eax
            //   0fb645b9             | lea                 eax, [ebp + 0xc0]

        $sequence_5 = { f6c304 7424 410fb60a 83e10f 4a0fbe843108460300 428a8c3118460300 }
            // n = 6, score = 100
            //   f6c304               | jl                  0x1a9d
            //   7424                 | cmp                 al, 0x7e
            //   410fb60a             | jg                  0x1a9d
            //   83e10f               | inc                 ebx
            //   4a0fbe843108460300     | movzx    eax, byte ptr [ebp + ebx - 0x17]
            //   428a8c3118460300     | cmp                 al, 0x20

        $sequence_6 = { 40383c0b 75f7 33d2 48f7f1 0fb6041a }
            // n = 5, score = 100
            //   40383c0b             | dec                 eax
            //   75f7                 | mov                 dword ptr [ecx + 0x90], eax
            //   33d2                 | dec                 eax
            //   48f7f1               | lea                 eax, [0x2f50]
            //   0fb6041a             | dec                 ecx

        $sequence_7 = { 488bc8 ff15???????? 4889842498000000 4885c0 0f8448070000 c744245654000000 c744245050004f00 }
            // n = 7, score = 100
            //   488bc8               | sub                 eax, ecx
            //   ff15????????         |                     
            //   4889842498000000     | inc                 ecx
            //   4885c0               | cmp                 eax, eax
            //   0f8448070000         | jl                  0x1cb7
            //   c744245654000000     | shr                 eax, 1
            //   c744245050004f00     | jmp                 0x1cc7

        $sequence_8 = { e8???????? 483bd8 7509 488d3dbce90100 eb16 b902000000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   483bd8               | dec                 eax
            //   7509                 | lea                 ecx, [0x209b2]
            //   488d3dbce90100       | dec                 eax
            //   eb16                 | test                eax, eax
            //   b902000000           | je                  0x15d9

        $sequence_9 = { 0f1f840000000000 8d040a 30440dc1 48ffc1 4883f90b 7306 }
            // n = 6, score = 100
            //   0f1f840000000000     | dec                 esp
            //   8d040a               | lea                 eax, [0x38438]
            //   30440dc1             | dec                 eax
            //   48ffc1               | lea                 edx, [0x384f1]
            //   4883f90b             | dec                 ebp
            //   7306                 | lea                 ecx, [esi + 0x31ac]

    condition:
        7 of them and filesize < 610304
}
Download all Yara Rules