HelloDoor
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group is also deploying new malware families like HelloDoor and HttpMalice, variants of PebbleDash, and enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueKimsuky obtains initial access to target systems by delivering spear-phishing emails containing malicious attachments disguised as documents.
Execution
3 techniquesHTTPSpy is a full-featured remote access trojan that supports a wide range of capabilities to run shell commands, upload/download files, execute processes, capture screenshots, inject DLL paths into specified PID processes, and erase itself from the endpoint.
The malicious payload leverages powershell.exe -windowstyle hidden certutil -decode [src path] [dst path] for the second Base64 decoding before execution.
Kimsuky meticulously crafts and delivers spear-phishing emails to its targets in an attempt to entice them into opening attachments.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
3 techniquesReger Dropper (.SCR) and Pidoc Dropper (.PIF) also contain benign lure files and malicious payloads that, in both cases, are encrypted using XOR operations... Pidoc Dropper is fully obfuscated using dummy data and encrypted strings.
These attachments often consist of compressed files containing droppers in formats such as .JSE, .EXE, .PIF, or .SCR. The filenames are consistent with the message content and are meant to convince the recipient to open the attachment.
Ultimately, the malicious payload is executed via command-line instructions such as regsvr32.exe /s [file path]
Discovery
1 techniqueThe more recent variant gathers critical information from the compromised system, such as the current directory path, volume serial numbers, user privileges, username, local IP address...
Command and Control
3 techniquesThe implant communicates with the C2 server ... over the HTTP protocol.
it is noteworthy that HelloDoor employs a C2 server hosted through TryCloudflare... they actively leverage tunneling services such as Cloudflare Quick Tunnels, VSCode Tunneling, and Ngrok to hide their infrastructure.
The DLL establishes persistence on the host using a scheduled task and contacts a command-and-control (C2) server to retrieve an as-yet-unknown payload.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
New malware family deployed by Kimsuky as part of its evolving intrusion toolkit.
A Rust-based PebbleDash backdoor variant with basic command execution capability, directory control, and sleep timing functions.
A Rust-based DLL backdoor in the PebbleDash cluster. It establishes persistence via the Run registry key, communicates over HTTP with a TryCloudflare-hosted C2, generates a host identifier from device information, decrypts commands with RC4, and supports directory changes, sleep, persistence installation, and command execution.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.