Threat Research

Kimsuky Group Introduces New Backdoor: HappyDoor

Ahnlab

Kimsuky’s HappyDoor backdoor is a multi-year operation tracked through 2021–2024, featuring a Notepad registry–driven config, staged execution with an /i argument flow, and HTTP-based C2 communications plus extensive information theft capabilities. It is delivered via spear-phishing attachments, evolved across versions with frequent updates, and leverages regsvr32 for persistence and execution.
#HappyDoor #Kimsuky #AppleSeed #AhnLabTIP #NotepadRegistry #regsvr32

Keypoints

  • HappyDoor is a backdoor attributed to the Kimsuky group, observed from 2021 to 2024 in breach activity.
  • Initial access is through spear phishing attachments containing a compressed dropper, with JavaScript/AMSI decoding used before execution.
  • Persistence is achieved via a scheduled task and regsvr32-based DLL loading, using an execution flow that starts with install*, then init*, then run*.
  • Notepad registry data stores configuration (including encryption ON/OFF and info-leak parameters) used by the backdoor.
  • HappyDoor’s communication uses HTTP for C2, with additional data encoding (XOR/Base64) observed in packets.
  • The malware collects and exfiltrates information through six infostealing functions (ssht, klog, fmon, ausb, amtp, mrec, mmtp) and other data (osi, gcfg).
  • Version history shows monthly patches and evolving execution arguments (/i) from install* to init* to run*, enabling different behavior across builds.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The Kimsuky group has distributed various malware strains via spear phishing email attacks in the past. “The Kimsuky group has distributed various malware strains via spear phishing email attacks in the past.”
  • [T1053.005] Scheduled Task – Scheduler (schtasks) registration to run the backdoor: “Scheduler (schtasks) registration command” and the IntelDiskVolume0 task setup.
  • [T1218.011] Signed Binary Proxy Execution – regsvr32 used to load and execute the HappyDoor DLL: “regsvr32.exe /s /n /i:init* C:Windows..ProgramData[HappyDoor]”.
  • [T1071.001] Web Protocols – HappyDoor communicates with its C2 over HTTP: “HappyDoor uses the HTTP protocol to perform the following communication:”
  • [T1132] Data Encoding – Packets are XOR/Base64 encoded; “The XOR encoding used in this packet is identical to the encryption method in ‘2.1. Registry Data’.”
  • [T1113] Screen Capture – Infostealing includes screenshot collection: “screenshot” feature in the six infostealing types.
  • [T1056.001] Keylogging – Infostealing includes keylogger activity: “keylogger” in the information-leaking features.
  • [T1005] Data from Local System – Filemon collects targeted local files for exfiltration: “Filemon collects files that meet certain conditions…”
  • [T1041] Exfiltration Over C2 – Leaked data is sent to the C2 server during information theft and backdoor operation: “leaking information to the C2 server.”
  • [T1059.003] Windows Command Shell – Backdoor commands executed via command line (cmd.exe) during Run Command Line actions.
  • [T1059.001] PowerShell – Backdoor commands executed via PowerShell (Run with PowerShell).

Indicators of Compromise

  • [MD5] – d9b15979e76dd5d18c31e62ab9ff7dae, 4ef5e3ce535f84f975a8212f5630bfe8, and 3 more hashes
  • [URL] C2/Drop delivery URLs – hxxp://app.seoul.minia[.]ml/kinsa.php, hxxp://users.nya[.]pub/index.php, and hxxp://go.ktspace.p-e[.]kr/index.php
  • [URL] Additional C2/Server references – hxxp://on.ktspace.p-e[.]kr/index.php, hxxp://aa.olixa.p-e[.]kr/index.php
  • [URL] Example sample communications captured (2022 era) – rok.my[.]to/update (partial reference in packet decoding)

Read more: https://asec.ahnlab.com/en/67660/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint