AhnLab analyzed HappyDoor, a Kimsuky backdoor first collected in 2021 and still observed in 2024 with patched versions, hard-coded version data, and recent samples labeled “happy” 4.2. The malware is distributed through spear-phishing attachments containing obfuscated JScript or executable droppers that launch a decoy document and install the DLL through regsvr32.exe with staged arguments such as install*, init*, and run*. HappyDoor establishes persistence with a scheduled task, stores configuration under Microsoft Notepad and FTP registry paths, and uses HTTP C2 to validate packets, exfiltrate data, and receive backdoor commands. Its collection functions include screenshots, keylogging, file theft from user directories, portable-device and Android MTP file collection, microphone recording, system information gathering, and command execution results, with stolen data encrypted using RSA and RC4 before exfiltration. The report provides hashes, install arguments, paths, C2 URLs, and behavioral artifacts that help defenders distinguish HappyDoor from AppleSeed and hunt for Kimsuky intrusions.