AppleSeed
AppleSeed is a backdoor malware family attributed to the North Korean threat actor Kimsuky and first observed in 2019. It has been used in multiple structural and functional variants, including Dropper and Spy forms, and later evolved into related tooling such as HappyDoor. Reporting describes AppleSeed as a significant component of Kimsuky operations, especially in campaigns targeting South Korean organizations, with government entities frequently cited; broader reporting also notes targeting of military, defense, healthcare, corporate, public-sector, university, IT, communications, construction, machinery, medical, and energy-related victims.
AppleSeed has been distributed primarily through spear-phishing and malicious email attachments, often disguised as document files or installers. Victim execution of the attachment triggers infection, sometimes while opening a decoy document. Delivery has also involved JSE, PIF, SCR, and EXE droppers. AppleSeed can execute via PowerShell, use JavaScript/JScript to invoke PowerShell, and call regsvr32.exe for execution.
Functionally, AppleSeed operates as a backdoor and information stealer. The Dropper variant downloads additional malware and executes commands received from command-and-control infrastructure. The Spy variant collects sensitive information including documents, screenshots, keystrokes, USB drive lists, and data from the C:\GPKI directory. Multiple sources state that AppleSeed can automatically collect data from USB drives, capture screenshots through API calls, stage files in a central location prior to exfiltration, compress and encrypt collected data, zip data before transfer, and exfiltrate files over its C2 channel. One report also states that AppleSeed uses email-based C2 communications via SMTP and IMAP. AppleSeed version 2.1 has reportedly collected the C:\GPKI directory since 2022, reflecting Kimsuky interest in digital certificates used by the South Korean government.
AppleSeed is closely associated with Kimsuky malware clusters and has been deployed alongside other Kimsuky tooling including PebbleDash and AlphaSeed. Public reporting also describes HappyDoor as an enhanced or advanced AppleSeed-derived malware focused on data exfiltration and GPKI certificate extraction. A referenced debug path for a sample is F:\PC_Manager\Utopia_v0.1\bin\AppleSeed.pdb.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
5.3. Privilege Escalation …….. 5.3.1. UACMe …….. 5.3.2. CVE-2021-1675 Vulnerability
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group is also deploying new malware families like HelloDoor and HttpMalice, variants of PebbleDash, and enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction.
AppleSeed, a backdoor-type malware that was developed and used by the Kimsuky group, was first discovered in 2019 and has been circulating in various structural and functional variations since then.
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe group primarily uses spear-phishing attacks to distribute malware and attempt to take over accounts to harvest data.
HappyDoor in this case is also being distributed via an email attachment just like the previous method of distribution. This attachment file contains a compressed file, and the latter carries a JScript or a dropper (executable file). Once that is run, HappyDoor is created and executed along with normal bait files.
Execution
5 techniquesHTTPSpy is a full-featured remote access trojan that supports a wide range of capabilities to run shell commands, upload/download files, execute processes, capture screenshots, inject DLL paths into specified PID processes, and erase itself from the endpoint.
The discovered JSE file drops two additional pieces of malware encoded in Base64 and executes them through PowerShell commands.
AppleSeed has the ability to use JavaScript to execute PowerShell. APT32 has used JavaScript for drive-by downloads and C2 communications. Astaroth uses JavaScript to perform its core functionalities.
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
An EXE file disguised as the SGA Solutions installer drops and executes information-stealing malware.
Persistence
2 techniquesAcross the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include AppleSeed creating 'HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce', AvosLocker executed via the RunOnce Registry key, NanoCore creating a RunOnce key, and Raspberry Robin setting a RunOnce key.
Privilege Escalation
1 techniqueThe content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include AppleSeed creating 'HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce', AvosLocker executed via the RunOnce Registry key, NanoCore creating a RunOnce key, and Raspberry Robin setting a RunOnce key.
Stealth
7 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Akira has used legitimate names and locations for files to evade defenses.
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.' | Several entries explicitly state files were deleted after exfiltration or upload, such as 'AppleSeed can delete files from a compromised host after they are exfiltrated,' 'Attor’s plugin deletes the collected files and log files after exfiltration,' and 'Ursnif has deleted data staged in tmp files after exfiltration.'
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Defense Impairment
1 techniqueCredential Access
2 techniquesThe Spy version gathers sensitive information such as documents, screenshots, keystrokes, and lists of USB drives.
enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction.
Discovery
7 techniquesCollects network configuration and ARP table information from the compromised system.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Uses the systeminfo command to gather system information.
Scans specific paths (Desktop, Downloads, Documents, etc.) for file lists to steal information.
Gathers user account information on the system by using ‘net user’
The Spy version gathers sensitive information such as documents, screenshots, keystrokes, and lists of USB drives.
Checks for installed anti-virus software on the system.
Collection
4 techniquesThe Spy version gathers sensitive information such as documents, screenshots, keystrokes, and lists of USB drives. This also includes harvesting data from the C:\GPKI directory.
The Spy version gathers sensitive information such as documents, screenshots, keystrokes, and lists of USB drives.
The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
HTTPSpy is a full-featured remote access trojan that supports a wide range of capabilities to run shell commands, upload/download files, execute processes, capture screenshots, inject DLL paths into specified PID processes, and erase itself from the endpoint.
Command and Control
3 techniquesThe DLL establishes persistence on the host using a scheduled task and contacts a command-and-control (C2) server to retrieve an as-yet-unknown payload.
Performs HTTP communication to exfiltrate the stolen information.
The DLL establishes persistence on the host using a scheduled task and contacts a command-and-control (C2) server to retrieve an as-yet-unknown payload.
Exfiltration
1 techniqueenhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction.
IOCs tracked for this family
27 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
63 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Existing malware family used by Kimsuky, with enhanced versions such as HappyDoor.
A malware family with Dropper and Spy variants. The Dropper downloads additional malware and executes C2 commands, while the Spy variant steals documents, screenshots, keystrokes, USB drive listings, and data from the C:\GPKI directory.
AppleSeed is referenced as a named malware family discussed alongside PebbleDash in Kimsuky campaigns.
Malware payload referenced as being delivered via malicious QR-code spear-phishing infrastructure in the described Kimsuky campaign, enabling post-compromise access and follow-on operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.