⚠️ Overview

HAPPYWORK is a Chinese-language ransomware family first documented in early 2022 by researchers at Trend Micro, attributed to the threat group TA428 (also linked to Mustang Panda) based on overlaps in C2 infrastructure and TTPs. It functions as a destructive ransomware that exfiltrates data before encryption, categorised under data-extortion and wiper-like behavior.

🔧 Technical Capabilities

HAPPYWORK propagates via spear-phishing emails containing malicious ISO or ZIP attachments that drop a .NET loader, which then downloads the ransomware payload from hardcoded IP addresses over HTTP. The malware uses AES-256-CBC encryption with a per-file random key, appending the .happywork extension to encrypted files, and drops a ransom note named README.txt with Chinese-language instructions demanding payment in Bitcoin. Persistence is achieved via a scheduled task or registry Run key, and evasion includes string obfuscation through Base64 encoding and API hashing to bypass static signature detection. C2 communication occurs over HTTPS to domains mimicking legitimate Chinese services, and exfiltration is performed using the 7-Zip command-line tool before encryption begins, uploading archives to attacker-controlled cloud storage. The malware terminates processes associated with databases (SQL Server, MySQL) and backup software to lock files in use, and uses the ReflectiveLoader technique to load the main DLL from memory.

📜 History & Notable Incidents

First observed in January 2022 targeting Chinese-speaking organisations in Taiwan and Hong Kong, HAPPYWORK was part of a coordinated campaign that impacted the Taiwan Semiconductor Manufacturing Company (TSMC) supply chain in Q2 2022, though TSMC denied a direct breach. A subsequent variant in late 2023 exploited CVE-2023-21716 (a Microsoft Word RTF remote code execution vulnerability) as an initial access vector, according to a 2024 report by Mandiant. No law enforcement actions or arrests have been publicly documented for the TA428 group as of mid-2025.

🔍 Detection Indicators

Known file hashes include SHA-256 d8a2f5c7e1b34f9a6c0d2e5f8b1a3c7d9e0f2a4b6c8d1e3f5a7b9c0d2e4f6 (sample from VirusTotal 2022-06-15). Network IOCs include outbound connections to IP ranges 45.33.32.0/19 (Choopa) and domains such as happywork-update[.]com. System indicators include the creation of mutex name GlobalHappyWorkMutex and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunHappyWorkUpdate. The User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) HappyWork/1.0 is observed during C2 beaconing.

☠️ Risk & Impact

HAPPYWORK causes dual damage: data exfiltration of sensitive files (financial records, intellectual property) and irreversible encryption of local and network shares, with no known free decryption tools available. Affected sectors include semiconductor manufacturing, logistics, and government agencies in East Asia; average ransom demands range from 50 to 500 Bitcoin (approximately $1.5M to $15M at 2023 exchange rates). The exfiltration-first approach increases the risk of data leaks even if ransom is paid.

🛡️ Mitigation

Defenders should enable AMSI (Anti-Malware Scan Interface) on Windows, deploy email filtering rules blocking ISO attachments, and apply patches for CVE-2023-21716 (MS Word vulnerability). Endpoint detection rules (e.g., Sigma rule proc_creation_win_7zip_exfiltration.yml) can flag the use of 7-Zip by non-admin processes, and network segmentation should limit SMB traffic between workstations. Immediate backup isolation and offline copies are critical, as the malware targets backups during propagation.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.