RUHAPPY

The North Korean group of hackers known as APT3 is infamous for the diverse toolset that allows them to carry out swift and threatening attacks against high-profile targets in South Korea and the Middle East. While the group is not as active as Lazarus (another famous group with links to the North Korean government), it is an Advanced Persistent Threat actor that specializes in long-term reconnaissance operations and data exfiltration from its targets. While the majority of its arsenal consists of backdoor Trojans, Remote Access Trojans (RATs), and infostealers, they also rely on very destructive wipers like RUHAPPY.

The RUHAPPY Wiper Targets the Hard Disk's Master Boot Record

The RUHAPPY malware has been utilized in very few attacks, and it was often used after a machine was infected by APT37's DOGCALL malware, a threat dedicated to providing attackers with backdoor access to compromised hosts. However, while DOGCALL is responsible for executing remote commands and gathering intelligence, the RUHAPPY wiper malware is far simpler and more destructive – it attempts to overwrite a hard drive's Master Boot Record (MBR). If this task is accomplished, the RUHAPPY malware may render the target's computer inoperable – the victim will see the message 'Are you Happy?' whenever they try to boot the computer.

Copies of the RUHAPPY wiper malware were found on computers belonging to the South Korean government and military organizations whose security was breached by APT37's DOGCALL backdoor. The last traces of RUHAPPY's activities date back to 2017 so that it is not clear whether the threat actors are using this wiper malware currently.