S0214: HAPPYWORK
Analyst context for executives and security teams
HAPPYWORK matters because ATT&CK identifies it as a downloader: malware whose business risk is often not the first payload, but what it enables next. The supplied ATT&CK context ties it to discovery of users and system details, plus transfer of additional tools into an environment. For leaders, the defensive question is whether the organization can quickly prove what host was affected, what user context was exposed, and whether any follow-on files were downloaded.
Executive priority
Treat this as a readiness and evidence problem: do incident response, SOC, and compliance teams have enough endpoint, identity, and network evidence to reconstruct downloader activity and subsequent tool transfer? Priority should go to validating visibility around user/system discovery and external file ingress, because those behaviors can shape containment scope and escalation decisions. The ATT&CK description references historic targeting of South Korean government and financial victims by APT37 in November 2016, but the supplied data does not support claims about current activity or local exposure.
Technical view
ATT&CK provides no platform list or detection text for HAPPYWORK itself, so defenders should validate coverage through its linked behaviors: T1033 System Owner/User Discovery, T1082 System Information Discovery, and T1105 Ingress Tool Transfer. SOC and IR teams should look for processes or scripts that enumerate logged-in or primary users, collect OS/hardware/patch/architecture details, and then retrieve additional files from external infrastructure. Because the malware object has no specified platforms, detection engineering should be environment-led rather than assuming Windows, Linux, macOS, cloud, or network-device execution for HAPPYWORK specifically.
Likely telemetry
- Endpoint process creation and command-line telemetry showing user or system discovery activity
- Host inventory and EDR telemetry for OS, patch, architecture, and hardware queries
- Authentication/session context linking discovery activity to the active user or service account
- Network connection logs, proxy logs, DNS logs, and firewall records for external file retrieval
- File creation/download telemetry and hashes for newly introduced tools or payloads
Detection direction
- Correlate user/system discovery followed by external file transfer rather than alerting on each discovery command in isolation.
- Tune for unusual discovery activity by non-administrative users, unexpected service accounts, or processes that do not normally perform host inventory.
- Validate whether proxy, DNS, firewall, and endpoint telemetry can connect a downloaded file to the process and user that initiated it.
- Expect false positives from legitimate administration, asset inventory, patch management, and software deployment tools; baseline those tools before escalating.
- Because ATT&CK provides no HAPPYWORK-specific detection text, avoid relying on malware-name signatures alone and test behavior-based detections mapped to T1033, T1082, and T1105.
Mitigation priorities
- Prioritize visibility first: ensure endpoint, network egress, DNS/proxy, and file creation logs are retained and usable for IR reconstruction.
- Apply least privilege and account hygiene so user discovery does not expose unnecessary administrative or service-account context.
- Control and monitor outbound file downloads through approved paths, with logging sufficient to identify source process, destination, and resulting file.
- Harden software deployment and administrative transfer channels so legitimate tool transfer is distinguishable from suspicious ingress.
- Use incident response playbooks that explicitly ask whether a downloader introduced additional tools after initial execution.
Analyst notes and limits
The strongest decision value in this object comes from its role as a downloader and its ATT&CK relationships to discovery and ingress tool transfer. The FireEye reference and ATT&CK description provide historic context linking HAPPYWORK to APT37 targeting South Korean government and financial victims in November 2016, but this summary does not infer current campaigns or organization-specific risk.
ATT&CK supplies no HAPPYWORK-specific platforms, tactics, aliases, labels, or detection guidance in the provided fields. Technical recommendations therefore rely on the listed relationships to T1033, T1082, and T1105 and must be validated against local operating systems, logging coverage, administration patterns, and network architecture.
HAPPYWORK
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | can collect system information, including computer name, system manufacturer, IsDebuggerPresent state, and execution path.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1033 | System Owner/User Discovery | can collect the victim user name.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | can download and execute a second-stage payload.CitationFireEye APT37 Feb 2018 |
Groups, software, and campaigns
G0067: APT37
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2d02645e90b8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT37 Feb 2018
FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
Open source URL -
[2]
mitre-attack S0214Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.