Kimsuky Group's New Backdoor Appears (HappyDoor)

2024-07-05 • Ahnlab •

https://asec.ahnlab.com/en/67660/

#Kimsuky #HappyDoor

Thumbnail for Kimsuky Group's New Backdoor Appears (HappyDoor)

AhnLab tracks HappyDoor as a Kimsuky backdoor first collected in 2021 and still active in 2024, with recent samples hard-coding version 4.2 and dates from late 2023 to early 2024. The malware is delivered through spear-phishing attachments that unpack a JScript or dropper, decode HappyDoor with certutil, and launch it through regsvr32 with distinctive /i arguments such as syrsd* or s*. ASEC says the backdoor supports screenshots, keylogging, file monitoring and exfiltration, connected-device enumeration, microphone recording, and Android MTP file theft, with C2s hosted on p-e.kr and related domains. The report distinguishes HappyDoor from AppleSeed by its execution arguments and documents ongoing monthly patching by the actor.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	d9b15979e76dd5d18c31e62ab9ff7dae	2024-06-26	2024-07-05
HASH	0054bdfe4cac0cb7a717749f8c08f5f3	2024-06-26	2024-07-05
HASH	4ef5e3ce535f84f975a8212f5630bfe8	2024-06-26	2024-07-05
HASH	a1c59fec34fec1156e7db27ec16121a7	2024-06-26	2024-07-05
HASH	c7b82b4bafb677bf0f4397b0b88ccfa2	2024-06-26	2024-07-05
URL	http://aa.olixa.p-e.kr/index.php	2024-06-26	2024-07-05
URL	http://app.seoul.minia.ml/kinsa…	2024-06-26	2024-07-05
URL	http://users.nya.pub/index.php	2024-06-26	2024-07-05
URL	http://ai.hyyeo.p-e.kr/index.php	2024-06-26	2024-07-05
URL	http://uo.zosua.o-r.kr/index.php	2024-06-26	2024-07-05
URL	http://go.ktspace.p-e.kr/index.…	2024-06-26	2024-07-05
URL	http://on.ktspace.p-e.kr/index.…	2024-06-26	2024-07-05
URL	http://jp.hyyeo.p-e.kr/index.php	2024-06-26	2024-07-05
DOMAIN	ai.hyyeo.p-e.kr	2024-06-26	2024-07-05
DOMAIN	go.ktspace.p-e.kr	2024-06-26	2024-07-05
DOMAIN	jp.hyyeo.p-e.kr	2024-06-26	2024-07-05
DOMAIN	on.ktspace.p-e.kr	2024-06-26	2024-07-05
DOMAIN	users.nya.pub	2024-06-26	2024-07-05
DOMAIN	app.seoul.minia.ml	2024-06-26	2024-07-05
DOMAIN	uo.zosua.o-r.kr	2024-03-25	2024-07-05

Related Actors

Kimsuky

Kaspersky

First seen: Sep 2013

Last seen: Jun 2026

Related Reports

2024-06-26 • 100% Match

Kimsuky 그룹의 신규 백도어 등장 (HappyDoor)

Ahnlab

#Kimsuky #HappyDoor

Shares tags: Kimsuky, HappyDoor • Shares 20 IOCs • Same author: Ahnlab • Published within a month

2025-08-22 • 70% Match

2025년 7월 APT 그룹 동향 보고서

Ahnlab

#Kimsuky #HappyDoor #Lazarus #ClickFix

Shares tags: Kimsuky, HappyDoor • Same author: Ahnlab

2024-07-05 • 70% Match

Kimsuky 그룹이 사용하는 Github Repository

Ahnlab

#Kimsuky #FlowerPower

Shares tag: Kimsuky • Same author: Ahnlab • Published within a week

2024-06-13 • 70% Match

Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)

Ahnlab

#Kimsuky #CVE-2017-11882

Shares tag: Kimsuky • Same author: Ahnlab • Published within a month

2024-06-11 • 70% Match

SmallTiger Malware Used Against South Korean Businesses (Kimsuky and Andariel)

Ahnlab

#Andariel #Kimsuky #DurianBeacon #SmallTiger

Shares tag: Kimsuky • Same author: Ahnlab • Published within a month

2026-05-14 • 60% Match

Disclosing new PebbleDash-based tools by Kimsuky

Kaspersky

#Kimsuky #Phishing #AppleSeed #PebbleDash #BlackBanshee #VelvetChollima #GitHub #ADS #APT43 #RubySleet #Springtail #HappyDoor #JSE #SparklingPisces #HttpTroy #VSCode #T1059.003 #T1005 #T1041 #T1113 #T1071.001 #T1056.001 #T1027 #T1566.001 #T1547.001 #T1053.005 #T1059.001 #T1105 #T1219 #T1543.003

Shares tags: Kimsuky, HappyDoor

« Back