Analysis of APT-C-55 (Kimsuky) Organization's HappyDoor Backdoor Attack Based on VMP Strong Shell

Description

The APT-C-55 (Kimsuky) group, a North Korean threat actor, has launched a new attack campaign targeting South Korea. They used a disguised Bandizip installation package to deliver malicious code and a VMP-protected HappyDoor trojan for espionage activities. The attack involves remote script loading, multi-stage malware deployment, and information theft. The malware collects sensitive data, including user information, system details, and files from specific directories. It also implements keylogging, screen capture, and mobile device monitoring functionalities. The attack methodology and infrastructure align with Kimsuky's historical patterns, including the use of similar scripts, backdoor families, and domain naming conventions.