Analysis of APT-C-55 (Kimsuky) Organization's HappyDoor Backdoor Attack Based on VMP Strong Shell
Essential information
- Published
- 10/07/2025 18:41
- Modified
- 13/07/2025 11:40
- Tags
- 2025-07-10 apt backdoor happydoor information theft multi-stage attack vmp
- Related entities
- 6 observables, 1 intrusion sets (apt), 11 techniques (mitre), 1 malware, 4 others
Description
The APT-C-55 (Kimsuky) group, a North Korean threat actor, has launched a new attack campaign targeting South Korea. They used a disguised Bandizip installation package to deliver malicious code and a VMP-protected HappyDoor trojan for espionage activities. The attack involves remote script loading, multi-stage malware deployment, and information theft. The malware collects sensitive data, including user information, system details, and files from specific directories. It also implements keylogging, screen capture, and mobile device monitoring functionalities. The attack methodology and infrastructure align with Kimsuky's historical patterns, including the use of similar scripts, backdoor families, and domain naming conventions.