Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actor

HappyDoor

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Kimsuky

The group is also deploying new malware families like HelloDoor and HttpMalice, variants of PebbleDash, and enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction.

via scworldscworld.com
MITRE ATT&CK

Techniques & procedures

21 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence2

HappyDoor in this case is also being distributed via an email attachment just like the previous method of distribution. This attachment file contains a compressed file, and the latter carries a JScript or a dropper (executable file). Once that is run, HappyDoor is created and executed along with normal bait files.

Execution

5 techniques
T1053.005Scheduled TaskEvidence1

install* 1. Add to scheduler (“Intel\Disk\Volume0”) ... schtasks /create /f /tn “ Intel\Disk\Volume0 ” /tr “C:\Windows\system32\regsvr32.exe /s /n /i:init* ...” /sc minute /mo 5

T1059.001PowerShellEvidence1

1103 Run with PowerShell Creates a PS1 file and runs the data received as an argument ccmd

T1059.003Windows Command ShellEvidence1

1101 Run Command Line Runs the data received as an argument with the command prompt ccmd

T1059.007JavaScriptEvidence1

This attachment file contains a compressed file, and the latter carries a JScript or a dropper (executable file). Once that is run, HappyDoor is created and executed along with normal bait files.

T1204User ExecutionEvidence1

Kimsuky meticulously crafts and delivers spear-phishing emails to its targets in an attempt to entice them into opening attachments.

Persistence

2 techniques
T1053.005Scheduled TaskEvidence1

install* 1. Add to scheduler (“Intel\Disk\Volume0”) ... schtasks /create /f /tn “ Intel\Disk\Volume0 ” /tr “C:\Windows\system32\regsvr32.exe /s /n /i:init* ...” /sc minute /mo 5

T1112Modify RegistryEvidence1

HappyDoor configures the data encoded in two normal registry paths... HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad ... HKEY_CURRENT_USER\Software\Microsoft\FTP

Privilege Escalation

1 technique
T1053.005Scheduled TaskEvidence1

install* 1. Add to scheduler (“Intel\Disk\Volume0”) ... schtasks /create /f /tn “ Intel\Disk\Volume0 ” /tr “C:\Windows\system32\regsvr32.exe /s /n /i:init* ...” /sc minute /mo 5

Stealth

3 techniques
T1036MasqueradingEvidence2

HappyDoor configures the data encoded in two normal registry paths. The registry paths and the features are as follows: A. NOTEPAD Path: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad ... B. FTP Path: HKEY_CURRENT_USER\Software\Microsoft\FTP

T1218.010Regsvr32Evidence1

#Running HappyDoor IWshShell3. Run (“powershell.exe -windowstyle hidden cmd /c cmd /c regsvr32.exe /s /n /i:syrsd* C:\Windows\..\ProgramData\[HappyDoor] “, “0”, “true”);

T1620Reflective Code LoadingEvidence1

1105 Run Memory Loads the portable executable (PE) file in the memory and runs it

Defense Impairment

1 technique
T1112Modify RegistryEvidence1

HappyDoor configures the data encoded in two normal registry paths... HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad ... HKEY_CURRENT_USER\Software\Microsoft\FTP

Credential Access

2 techniques
T1056.001KeyloggingEvidence1

The malware performs a total of six major infostealing activities, each with the corresponding string: ... keylogger (keylogging) ... KEYLOGGER(KLOG) Saves the current time in addition to the processes and key information entered by the user.

T1649Steal or Forge Authentication CertificatesEvidence1

enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction.

Discovery

1 technique
T1082System Information DiscoveryEvidence1

The “osi” file collects information such as the OS version, architecture, and the service pack version

Collection

6 techniques
T1005Data from Local SystemEvidence1

FILEMON(FMON) ... collects files that meet certain conditions from the paths below ... “%UserProfile%\Desktop”, “%UserProfile%\Document”, “%UserProfile%\Download”, “%UserProfile%\AppData\Local\Microsoft\Windows\INetCache\IE”

T1025Data from Removable MediaEvidence1

ALARM(AUSB, AMTP) This function collects data such as files, paths, and names of connected portable disks or devices... MTPMON(MMTP) ... collects certain files from “Android” portable devices via Media Transfer Protocol (MTP).

T1056.001KeyloggingEvidence1

The malware performs a total of six major infostealing activities, each with the corresponding string: ... keylogger (keylogging) ... KEYLOGGER(KLOG) Saves the current time in addition to the processes and key information entered by the user.

T1113Screen CaptureEvidence1

The malware performs a total of six major infostealing activities, each with the corresponding string: screenshot (capturing screenshots) ... SCREENSHOT(SSHT) Captures the current screen and saves it as a JPG file.

T1119Automated CollectionEvidence1

FILEMON(FMON) This function collects files that meet certain conditions from the paths below and saves them as a compressed file.

T1123Audio CaptureEvidence1

MICREC(MREC) This is a function that allows access to microphones and records voices.

Command and Control

2 techniques
T1071.001Web ProtocolsEvidence2

HappyDoor has been using HTTP to communicate with the C&C (Command and Control) server for quite a while.

T1105Ingress Tool TransferEvidence1

1005 Update Loads a new DLL file (argument) and terminates the old backdoor ... 1132 Download File Creates a file the threat actor desires in the infected PC

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence2

enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction.

INDICATORS OF COMPROMISE

IOCs tracked for this family

26 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
11 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
7 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
8 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
hash.md5●●●●●●●●●●●●View more in app2 years ago
uri●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
scworldNews
May 29, 2026
North Korean hackers Kimsuky target South Korea with new malware variants | brief | SC Media

Enhanced version of AppleSeed focused on data exfiltration and GPKI certificate extraction.

Read more
the hacker newsNews
May 29, 2026
Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels

An advanced version of AppleSeed.

Read more
ahnlab asec blogNews
Jun 25, 2024
Kimsuky Group’s New Backdoor (HappyDoor) - ASEC

A DLL-based backdoor used by Kimsuky, distributed via spear-phishing attachments. It runs through regsvr32, persists via scheduled tasks, stores configuration in the registry, communicates over HTTP with C2, steals screenshots, keystrokes, files, USB/MTP device data, microphone audio, and supports encrypted backdoor commands including command execution, file upload/download, update, and in-memory execution.

Read more
securelistNews
May 13, 2021
Disclosing new PebbleDash-based tools by Kimsuky | Securelist

An AppleSeed-based backdoor assessed as an advanced variant evolved from AppleSeed. It shares AppleSeed’s string obfuscation algorithm, collected data types, and RSA encryption.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching26

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping21

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.