HappyDoor
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group is also deploying new malware families like HelloDoor and HttpMalice, variants of PebbleDash, and enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueHappyDoor in this case is also being distributed via an email attachment just like the previous method of distribution. This attachment file contains a compressed file, and the latter carries a JScript or a dropper (executable file). Once that is run, HappyDoor is created and executed along with normal bait files.
Execution
5 techniquesinstall* 1. Add to scheduler (“Intel\Disk\Volume0”) ... schtasks /create /f /tn “ Intel\Disk\Volume0 ” /tr “C:\Windows\system32\regsvr32.exe /s /n /i:init* ...” /sc minute /mo 5
1103 Run with PowerShell Creates a PS1 file and runs the data received as an argument ccmd
1101 Run Command Line Runs the data received as an argument with the command prompt ccmd
This attachment file contains a compressed file, and the latter carries a JScript or a dropper (executable file). Once that is run, HappyDoor is created and executed along with normal bait files.
Kimsuky meticulously crafts and delivers spear-phishing emails to its targets in an attempt to entice them into opening attachments.
Persistence
2 techniquesinstall* 1. Add to scheduler (“Intel\Disk\Volume0”) ... schtasks /create /f /tn “ Intel\Disk\Volume0 ” /tr “C:\Windows\system32\regsvr32.exe /s /n /i:init* ...” /sc minute /mo 5
Privilege Escalation
1 techniqueStealth
3 techniquesHappyDoor configures the data encoded in two normal registry paths. The registry paths and the features are as follows: A. NOTEPAD Path: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad ... B. FTP Path: HKEY_CURRENT_USER\Software\Microsoft\FTP
#Running HappyDoor IWshShell3. Run (“powershell.exe -windowstyle hidden cmd /c cmd /c regsvr32.exe /s /n /i:syrsd* C:\Windows\..\ProgramData\[HappyDoor] “, “0”, “true”);
1105 Run Memory Loads the portable executable (PE) file in the memory and runs it
Defense Impairment
1 techniqueCredential Access
2 techniquesThe malware performs a total of six major infostealing activities, each with the corresponding string: ... keylogger (keylogging) ... KEYLOGGER(KLOG) Saves the current time in addition to the processes and key information entered by the user.
enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction.
Discovery
1 techniqueThe “osi” file collects information such as the OS version, architecture, and the service pack version
Collection
6 techniquesFILEMON(FMON) ... collects files that meet certain conditions from the paths below ... “%UserProfile%\Desktop”, “%UserProfile%\Document”, “%UserProfile%\Download”, “%UserProfile%\AppData\Local\Microsoft\Windows\INetCache\IE”
ALARM(AUSB, AMTP) This function collects data such as files, paths, and names of connected portable disks or devices... MTPMON(MMTP) ... collects certain files from “Android” portable devices via Media Transfer Protocol (MTP).
The malware performs a total of six major infostealing activities, each with the corresponding string: ... keylogger (keylogging) ... KEYLOGGER(KLOG) Saves the current time in addition to the processes and key information entered by the user.
The malware performs a total of six major infostealing activities, each with the corresponding string: screenshot (capturing screenshots) ... SCREENSHOT(SSHT) Captures the current screen and saves it as a JPG file.
FILEMON(FMON) This function collects files that meet certain conditions from the paths below and saves them as a compressed file.
MICREC(MREC) This is a function that allows access to microphones and records voices.
Command and Control
2 techniquesHappyDoor has been using HTTP to communicate with the C&C (Command and Control) server for quite a while.
1005 Update Loads a new DLL file (argument) and terminates the old backdoor ... 1132 Download File Creates a file the threat actor desires in the infected PC
Exfiltration
1 techniqueenhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction.
IOCs tracked for this family
26 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Enhanced version of AppleSeed focused on data exfiltration and GPKI certificate extraction.
An advanced version of AppleSeed.
A DLL-based backdoor used by Kimsuky, distributed via spear-phishing attachments. It runs through regsvr32, persists via scheduled tasks, stores configuration in the registry, communicates over HTTP with C2, steals screenshots, keystrokes, files, USB/MTP device data, microphone audio, and supports encrypted backdoor commands including command execution, file upload/download, update, and in-memory execution.
An AppleSeed-based backdoor assessed as an advanced variant evolved from AppleSeed. It shares AppleSeed’s string obfuscation algorithm, collected data types, and RSA encryption.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.