{
	"id": "f7f57c4c-a8c6-476f-94bc-c8ebf3869253",
	"created_at": "2026-04-06T00:19:47.686034Z",
	"updated_at": "2026-04-10T03:24:29.432345Z",
	"deleted_at": null,
	"sha1_hash": "092274a372bedce53033430ca2c2da734c444047",
	"title": "Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3652705,
	"plain_text": "Ukraine Campaign Delivers Defacement and Wipers, in Continued\r\nEscalation\r\nBy Cisco Talos\r\nPublished: 2022-01-21 · Archived: 2026-04-05 13:34:14 UTC\r\nBy Nick Biasini, Michael Chen, Alex Karkins, Azim Khodjibaev, Chris Neal and Matt Olney, with contributions\r\nfrom Dmytro Korzhevin.\r\nThis post is also available in:\r\n日本語 (Japanese)\r\nUpdate Feb. 4, 2022\r\nSince the initial publication of this blog, various organizations inside Ukraine have released advisories and other\r\nreports providing additional information about the January cyber attacks on Ukrainian entities. Based on these\r\nnew details and Cisco Talos' continued investigatory work, we have discovered several previously unidentified\r\nconnections that strongly support the notion that these attacks were part of a broader, ongoing disinformation\r\ncampaign against Ukraine. This culminated in the addition of a section related to the ongoing disinformation\r\ncampaigns associated with these incidents. Below are some of the high-level updates:\r\nDetails of CERT-UA Advisory, including example bash commands.\r\nDetails of SSSCIP advisory outlining a false flag operation, including additional analysis.\r\nDisinformation section added to outline various components of disinformation observed.\r\nCisco Talos has determined with moderate confidence that there is an ongoing disinformation campaign\r\nattempting to attribute these attacks to Ukrainian groups that date back at least nine months.\r\nCisco Talos has also found connections between actors in this campaign and FancyBear disinformation\r\ncampaigns dating back to 2016-2017.\r\nIn late January, the Computer Emergency Response Team of Ukraine (CERT-UA) released an advisory detailing\r\nnewly released information regarding the attacks.\r\nAnother advisory, published by the State Service of Special Communication and Information Protection of\r\nUkraine (SSSCIP), states that the ransomware attack may be a false flag operation intentionally crafted to appear\r\nas the work of a pro-Ukrainian group. In this post, we have added a new section labeled \"Role of disinformation in\r\ncampaign\" detailing the evidence provided by the advisory.\r\nCisco Talos has also done additional analysis on the connection between WhisperKill and WhiteBlackCrypt. The\r\ndetails of the findings, including the ties into ongoing disinformation campaigns are included in this update.\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 1 of 23\n\nSeveral cyber attacks against Ukrainian government websites — including website defacements and destructive\r\nwiper malware — have made headlines over the past few weeks as military tensions along the Russian/Ukrainian\r\nborder have escalated. As a longtime intelligence partner and ally, Cisco Talos quickly responded to provide\r\nsupport, working with the State Special Communications Service of Ukraine (SSSCIP), the Cyberpolice\r\nDepartment of the National Police of Ukraine and the National Coordination Center for Cybersecurity (NCCC at\r\nthe NSDC of Ukraine).\r\nBased on our analysis of the wiper malware, dubbed WhisperGate, we identified the following key points:\r\nWhile WhisperGate has some strategic similarities to the notorious NotPetya wiper that attacked Ukranian\r\nentities in 2017, including masquerading as ransomware and targeting and destroying the master boot\r\nrecord (MBR) instead of encrypting it, it notably has more components designed to inflict additional\r\ndamage.\r\nWe assess that attackers used stolen credentials in the campaign and they likely had access to the victim\r\nnetwork for months before the attack, a typical characteristic of sophisticated advanced persistent threat\r\n(APT) operations.\r\nThe multi-stage infection chain downloads a payload that wipes the MBR, then downloads a malicious\r\nDLL file hosted on a Discord server, which drops and executes another wiper payload that destroys files on\r\nthe infected machines.\r\nWe echo the recommendations from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that\r\norganizations with ties to Ukraine should carefully consider how to isolate and monitor those connections\r\nto protect themselves from potential collateral damage.\r\nRecent Ukraine attacks represent ongoing threats to partner organizations\r\nWe were forced to cancel a trip to Kyiv in early 2020 at the onset of the COVID-19 pandemic. It was unfortunate\r\nto lose the opportunity to reunite with friends and colleagues, and also to visit Ostannya Barykada, one of our\r\nfavorite restaurants there. In short, Talos has been working for years in Ukraine – even prior to NotPetya – to\r\nsecure a safe and stable computing environment there.\r\nThe recent activities in Ukraine, whether the defacement of almost 80 government websites or the discovery of\r\nwiper malware at various government agencies, feel familiar. In fact, if it weren't for the obvious increase in\r\ngeopolitical tensions in the region, we would simply consider it winter in Ukraine. To put it another way, we've\r\nseen this kind of activity on and off for years, and while we are quick to render assistance, we see no reason to\r\npanic because of these events.\r\nHowever, defenders around the world should carefully watch the situation in Ukraine, particularly after the global\r\nimpact of the Ukraine-centric attack that was NotPetya. In that case, an attack that was intended to punish Ukraine\r\nhad a wide-ranging, global impact. Any organization that had any sort of business connection to Ukraine could be\r\naffected. Because of this history, organizations with ties to Ukraine should consider how to isolate and monitor\r\nthose connections to protect themselves, a recommendation we made in 2017 and continue to stand by today.\r\nAs we wrote during the \"NotPetya\" campaign in 2017:\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 2 of 23\n\n\"Based on this, Talos is advising that any organization with ties to Ukraine treat software like M.E.Doc\r\nand systems in Ukraine with extra caution since they have been shown to be targeted by advanced\r\nthreat actors. This includes providing them a separate network architecture, increased monitoring and\r\nhunting activities in those at-risk systems and networks and allowing only the level of access absolutely\r\nnecessary to conduct business. Patching and upgrades should be prioritized on these systems and\r\ncustomers should move to transition these systems to Windows 10, following the guidance from\r\nMicrosoft on securing those systems. Additional guidance for network security baselining is available\r\nfrom Cisco as well. Network IPS should be deployed on connections between international\r\norganizations and their Ukrainian branches and endpoint protection should be installed immediately on\r\nall Ukrainian systems.\"\r\nWe're sharing what information we can on the events in Ukraine to assist defenders globally in understanding the\r\nthreat and crafting a defensive approach appropriate for their situation. Events can move quickly, so organizations\r\nneed to be constantly evaluating potential exposures to the situation now and elevating their level of security\r\naround the connections, software and processes that connect them to Ukraine.\r\nRole of disinformation in campaign\r\nNew information has surfaced that indicates that elements of recent attacks in Ukraine represented an effort to\r\ncreate multiple false narratives intended to complicate attribution attempts and create plausible deniability for the\r\nactor behind the attacks. Our findings indicate the actor attempted to blame multiple parties, including both\r\nPoland and Ukrainians themselves, despite the fact that technical indicators surrounding the attack do not support\r\nthese false narratives. We've seen tactics like this in the region and elsewhere in incidents like Olympic Destroyer.\r\nThe intent is not to actually convince people that someone else was the source, but instead to introduce enough\r\ndoubt that it is politically useful either now or in future operations.\r\nFirst, the defacements appeared in several different languages, including Polish. It was the Polish translation that\r\nwas the first indicator since it was quickly discovered to just be a translation of the message in Russian using the\r\npopular platform yandex.ru's translation capabilities.\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 3 of 23\n\nDefaced website containing Yandex Polish translation.\r\nSSSCIP has also made a connection between WhisperKill, a component of the WhisperGate malware that was\r\ndeployed on Ukrainian systems, and the Encrypt3d ransomware, also known as WhiteBlackCrypt.\r\nWhiteBlackCrypt was reportedly used in operations against Russian targets in 2021. The advisory states that there\r\nis over eighty percent similarity between them. Cisco Talos has completed initial analysis and agrees that there is\r\nsubstantial overlap between the two samples.\r\nAnother connection that SSSCIP has noted is that the ransom note displayed by Encrypt3d contains an ASCII\r\nrepresentation of a trident symbol that is part of Ukraine's coat of arms.\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 4 of 23\n\nRansom note with Ukrainian trident vs Ukrainian Coat of Arms.\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 5 of 23\n\nSSSCIP asserts the campaign is likely a false-flag operation in an attempt to create a fake narrative of a pro-Ukrainian group attacking its own government. This is a known tactic employed by actors in this region.\r\nWhiteBlackCrypt analysis points to long-running disinformation campaign\r\nCisco Talos researchers took a deeper look at the connection between WhisperKill and WhiteBlackCrypt,\r\nspecifically at the origins of WhiteBlackCrypt and its usage in the wild.\r\nWe started searching various forums for WhiteBlackCrypt advertisements. In our experience in the ransomware-as-a-service (RaaS) space, this is one of the first things we notice with new ransomware variants that are looking\r\nto retain members and achieve notoriety. Typically, RaaS affiliate programs seek to maximize partnership numbers\r\nby advertising themselves on known cybercriminal platforms or some version of their own blog or website.\r\nHowever, Talos has not been able to find any historical evidence of WhiteBlackCrypt operators advertising on\r\nunderground cybercrime forums. In fact, we could not identify any activity on the dark web related to\r\nWhiteBlackCrypt.\r\nNext, we pivoted to the email addresses Wbgroup022@gmail[.]com and Whiteblackgroup002@gmail[.]com that\r\nare listed on the ransom note. We traced the emails back to a blog post and article created in July 2020 titled,\r\n\"Where Did Nastya Hide the Oseledets?\" (Translated from Ukrainian to English). Oseledets is a Ukrainian\r\nCossack style of haircut. The blog post is intended for a Russian-speaking audience, but the title is in Ukrainian,\r\npresumably with the intent to \"troll.\" We assess with moderate confidence that this may be tied to a disinformation\r\ncampaign around activities in and around Ukraine.\r\nThe blog post falsely summarized what it alleged to be a Ukrainian military unit that engaged in an espionage\r\ncampaign targeting Russian citizens. This was done through the use of fake personas, specifically young women, a\r\ntactic that is fairly common among threat actors and is referred to as a honey trap. The blog goes on to describe\r\nthe specifics of the campaign, including the alleged infiltration of several Ukranian news blogs and associated\r\nsocial media accounts. Importantly, it also provided an indexed list of all the personas used in this campaign. It\r\nwas in this list that we found a persona named \"Zebra.\" As you'll notice in the screenshot below, Zebra (\"зебра\" in\r\nRussian) is associated with two of the email addresses found in the ransom note for WhiteBlackCrypt and\r\nWhisperKill.\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 6 of 23\n\n'Zebra' persona and ties to ransom note email addresses.\r\nThis puts the creation of the emails and their alleged use in a fake Ukrainian disinformation campaign to at least\r\nthe summer of 2020, approximately eight or nine months before the fake ransomware campaign. Cisco Talos tried\r\nto find any evidence of a Ukrainian-backed disinformation campaign outlined in the blog post, but thus far have\r\nbeen unsuccessful in corroborating these claims.\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 7 of 23\n\nWhiteBlackGroup User Image\r\nDuring our research into the email addresses that appeared in the WhisperKill ransom note, we found further\r\nreferences to WhiteBlackGroup/Zebra. These include findings that refer back to similar motifs, including white,\r\nblack and zebras. We were able to find an account that was registered on the same platforms where the\r\nLiveJournal entries were found. The user \"whiteblackgroup\" had a headline claiming \"Caution! Russian\r\nPropaganda!\" (translated from Russian to English) and also made use of a profile picture that includes a zebra,\r\nwhich is also the name of the persona referenced above and could also be an additional reference to white and\r\nblack. The headline is associated with a blog posted by Zebra that accused Russia of carrying out a disinformation\r\ncampaign against Ukraine to validate themselves through anti-Russian posts.\r\nHeadline about Russian Propaganda\r\nUpon further research, Talos researchers found three additional copies of this particular blog on LiveJournal blogs.\r\nThese particular blogs appear to focus on anti-Western and anti-Ukrainian disinformation. One notable difference\r\nbetween these three blogs and the original is they all linked to another publication which was the earliest version\r\nof the blog we could find. That version was published by an entity called Analytical Service of Donbas (ASD)\r\n(translated from Russian into English). This blog is dedicated to the amplification of misinformation related to the\r\ncurrent tensions in Ukraine. Specifically, it appears to be curated for citizens within the occupied Ukrainian region\r\nof Donbas and Russia.\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 8 of 23\n\nWe began to look a little deeper at ASD, specifically the authors that publish articles on the site. This led us to\r\nBoris Rozhin. We pivoted and found that this author also posts under an alias, Colonel Cassad. After some\r\nadditional digging, we found two Telegram channels — one using his real name, the other using the same Colonel\r\nCassad alias. The Telegram channels appear to focus on exposing fake Ukrainian military operations or exposing\r\nor doxing members of Ukrainian militia units. Several blog posts appear to describe Boris Rozhin as someone\r\nwho is an active supporter of Ukrainian separatists in occupied Donbas and who has developed other media that\r\nspreads Ukrainian-focused misinformation.\r\nAt this point, we could not correlate the original \"Where Did Nastya Hide the Oseledets?\" blog and Boris Rozhin.\r\nThe connection ended up relying on another name: JokerDNR. JokerDNR is a persona and Telegram channel that\r\ndescribes itself as \"the channel with stolen Ukrainian military documents – who steals them? That's not clear, but\r\nit is very interesting\" (translated from Russian to English). This Telegram channel shared the Oseledets blog post\r\nand the three LiveJournal reposts mentioned above.\r\nWe've made several connections between Boris Rozhin and JokerDNR. In 2019, Boris Rozhin's Telegram\r\npseudonym (@Colonel Cassad), listed JokerDNR as part of a list of recommended Telegram channels. Another\r\nblog post directly refers to Boris Rozhin as Joker and JokerDNR and falsely alluded to Ukrainian forces as being a\r\npart of the political violence that occurred in Kazakhstan in January 2022. This false narrative described a military\r\nofficer from the Ukrainian military that was part of an information warfare unit that operated in Kazakhstan. The\r\nmilitary officer is described as a \"compliment to 'Joker' military expert Boris Rozhin.\" JokerDNR also took\r\nresponsibility for leaking NATO and Ukrainian Navy information in July 2021.\r\nWe can also link Boris Rozhin to a major disinformation campaign linked to FancyBear APT activity. This\r\noccurred during a research revelation from 2016-2017 where CrowdStrike reported the FancyBear APT group had\r\ncompromised a mobile app used by Ukrainian artillery forces. The report alleged that the compromise led to\r\n\"larger than average losses to Ukrainian artillery.\" They based this research on a report from the International\r\nInstitute of Strategic Studies, a think tank in London. However, the original source of the information was a false\r\nreport that was part of an article shared on a site called the Saker. This site focuses on sharing pro-Russian views\r\non conflicts in Ukraine and Syria. An article in VOA News found the author of that particular document was a\r\nblogger named \"Boris Rozhin:\"\r\nCrowdStrike told VOA its information on those losses came from what it described as an analysis from the\r\nInternational Institute for Strategic Studies (IISS), a London-based think tank.\r\n\"We cited the public, third-party reference source that was quoted,\" VOA was told.\r\nBut the source referenced in the CrowdStrike report on its website is not the site of the actual IISS, but an article\r\non The Saker, a site that presents a largely pro-Russian version of events in Syria and Ukraine.\r\n…\r\nThe article is an English translation from a post first published by Boris Rozhin, a popular Russian blogger, who\r\ncovers Russian military operations under the moniker \"Colonel Cassad\" from Russian-annexed Crimea.\r\nThe blog post in question cites a false IISS report that Rozhin uses to write a story that falsely asserts that\r\nUkrainian artillery forces suffered bigger losses. According to Rozhin, the articles he based the blog on were\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 9 of 23\n\nobtained from Russian torrent sites.\r\nThere are a few indications that can point to an ulterior motive when it comes to the emails associated with the\r\nZebra persona. As mentioned, the WhisperKill ransomware didn't demonstrate any motivations to actually\r\nfinancially benefit from their campaign. Additionally, the emails appeared openly in public reports. Ransomware\r\ncartels typically exercise basic operational security and do not reuse an email that has already been exposed\r\npublicly. Unless there is a parallel narrative where the use of these emails could serve a purpose. It is plausible that\r\nthe WhiteBlackGroup persona is part of a broader, long-term coordinated disinformation mechanism that seeks\r\nmulti-layered validation, perhaps as similar to the one reported byCrowdStrike.\r\nCisco Talos assesses with high confidence that the email addresses and other associated \"flags\" identified in these\r\nransomware campaigns are designed to implicate Ukrainians in the activity, a fact that can be leveraged by Russia\r\nin a variety of ways. This stands in agreement with similar statements made by both SSSCIP and more broadly by\r\nthe Ukrainian government. Talos associated the emails used in the WhiteBlackCrypt ransom notes to suspicious\r\ncontent dating back at least nine months. Additionally, the ransomware itself provided no mechanism for recovery,\r\neliminating the possibility that the campaign was for financial gain. The email addresses have been published in\r\nblogs and amplified in Telegram channels with questionable motivations, and are likely associated with anti-Western and pro-Russian themes. These findings, along with the examples of Boris Rozhin's previous attempts to\r\ninject disinformation, point to a broader coordinated disinformation campaign seeking multi-layer validation and\r\nthe ability to push narratives into Western media.\r\nMulti-stage infection chain delivers destructive wiper malware\r\nIn their advisory published on Jan. 26, 2022, CERT-UA asserted that the initial vector for the malware, dubbed\r\nWhisperGate, was either a supply-chain attack or exploitation. Below is a translated excerpt of this statement:\r\n\"The most likely vector for a cyber attack is the compromise of the supply chain, which has made it possible to\r\nuse existing trust links to disable related information and telecommunications and automated systems. At the same\r\ntime, two other possible attack vectors are not ruled out, namely the exploitation of OctoberCMS and Log4j\r\nvulnerabilities.\"\r\nThe first payload in this infection is responsible for the initial attempt at wiping the systems. The malware\r\nexecutable wipes the master boot record (MBR) and replaces it with the code responsible for displaying the\r\nransom note. Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign,\r\nWhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten and has no\r\nrecovery options. This wiper also tries to destroy the C:\\ partition by overwriting it with fixed data. The additional\r\nsteps taken to wipe the actual hard drive partition differentiate its behavior from other wiper malware like\r\nNotPetya.\r\nHowever, most modern systems today have switched to GUID Partition Table (GPT) from MBR, which allows for\r\nlarger file systems and has fewer limitations, potentially limiting some of the impacts of this executable. As a\r\nresult, there were additional stages and additional payloads that could inflict more damage to end systems.\r\nSecond stage\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 10 of 23\n\nThe second stage of the infection chain is a downloader that retrieves a third stage from a Discord server URL\r\nthat's hard-coded in the downloader. The downloader starts by executing a base64-encoded PowerShell command\r\ntwice to make the endpoint sleep for 20 seconds.\r\n// Start-Sleep -s 10\r\npowershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==\r\nSleeps the downloader.\r\nAfter that, it downloads a file from Discord. The downloaded file is in reverse byte order.\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 11 of 23\n\nDownloads file from Discord.\r\nThe downloader restores the downloaded file by reversing the bytes within the file.\r\nMethod that reverses the downloaded file.\r\nThe restored file is a DLL and serves as the third stage of the infection chain. After restoration, it loads the third-stage DLL and proceeds to retrieve all of its public methods to search for a method with the name\r\n\"Ylfwdwgmpilzyaph\". If the method is found, the downloader will execute it by calling \".Invoke(null, null)\",\r\ntransferring the execution flow over to the third-stage DLL.\r\nRetrieving third-stage public methods using Type.GetMethods.\r\nCompare if method name is \"Ylfwdwgmpilzyaph\".\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 12 of 23\n\nExecutes Ylfwdwgmpilzyaph by calling MethodBase.Invoke.\r\nThird stage\r\nThe third stage of the infection chain is a DLL written in C# and obfuscated with Eazfuscator. It is a dropper that\r\ndrops and executes a fourth-stage wiper payload. Unlike the first stage wiper, the main objective of the fourth\r\nstage wiper is to delete all data on the endpoint. The fourth-stage wiper payload is probably a contingency plan if\r\nthe first-stage wiper fails to clear the endpoint.\r\nStatic analysis.\r\nThe third-stage DLL starts off by dropping a VBScript named \"Nmddfrqqrbyjeygggda.vbs\" into the %TEMP%\r\ndirectory and executes it. The script modifies Windows Defender settings to exclude the target logical drive it is\r\ngoing to wipe from scheduled and real-time scanning.\r\nObject(\"WScript.Shell\").Run \"powershell Set-MpPreference -ExclusionPath 'C:\\'\"\r\n0, False\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 13 of 23\n\nDrops VBScript using File.WriteAllText.\r\nExecutes VBScript using Process.Start.\r\nNext, the DLL loads an embedded resource named \"78c855a088924e92a7f60d661c3d1845\" into memory and\r\ndecrypts it using multiple XOR operations.\r\nLoads the resource using Assembly.GetManifestResourceStream.\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 14 of 23\n\nMethod that performs the XOR decryption.\r\nThe decrypted resource is a DLL file embedded with two resources named \"AdvancedRun\" and \"Waqybg\" that are\r\ncompressed with GZip.\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 15 of 23\n\nTwo resources embedded in the decrypted resource.\r\nThe third-stage DLL proceeds by loading the \"AdvancedRun\" resource into memory, decompressing it and\r\ndropping it as \"AdvancedRun.exe\" into the %TEMP% directory.\r\nCalling GZipStream class to decompress the resource.\r\nDrops AdvancedRun.exe using File.WriteAllBytes.\r\n\"AdvancedRun.exe\" is a tool provided by Nirsoft to execute a program with different settings. Once the tool is\r\ndropped, the third stage DLL will leverage it to execute two commands in the context of the Windows\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 16 of 23\n\nTrustedInstaller group. The TrustedInstaller group was an addition to Windows beginning in Windows 7 with the\r\ngoal of preventing accidental damage to critical system files. AdvanceRun is one of the tools that can be used to\r\nexecute commands in the context of the TrustedInstaller user. This functionality is only available via CLI and\r\nrequires the flag of \"/RunAs 8\", which is shown in the commands below. The tool will be deleted from the\r\n%TEMP% directory after executing both commands. The first command leverages the Windows service control\r\napplication (sc.exe) to disable Windows Defender.\r\n\"%TEMP%\\AdvancedRun.exe\" /EXEFilename \"C:\\Windows\\System32\r\n\\sc.exe\" /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8 /Run\r\nThe second command leverages Windows PowerShell to execute a Windows utility called \"rmdir\" to delete all the\r\nfiles and directories that are related to Windows Defender, such as scan results, quarantined files and definition\r\nupdates.\r\n\"%TEMP%\\AdvancedRun.exe\" /EXEFilename \"C:\\Windows\\System32\r\n\\WindowsPowerShell\\v1.0\\powershell.exe\" /WindowState 0 /CommandLine \"rmdir 'C:\\Progra\r\nmData\\Microsoft\\Windows Defender' -Recurse\" /StartDirectory \"\" /RunAs 8 /Run\r\nNext, the third-stage DLL will load the \"Waqybg\" resource into memory. As the resource is stored in reverse byte\r\norder, the third-stage DLL will restore it by reversing the bytes and then proceed to decompress it. The\r\ndecompressed data is the fourth stage wiper payload. After decompressing the data, the third-stage DLL copies a\r\nlegitimate Windows utility \"InstallUtil.exe\" into the %TEMP% directory, creates a suspended process with it and\r\ninjects the fourth-stage wiper into the process. Finally, it resumes the process and transfers the execution flow to\r\nthe fourth-stage wiper.\r\nCreates InstallUtil.exe process.\r\nFourth stage\r\nThe fourth-stage wiper starts off by enumerating from A to Z, looking for fixed and remote logical drives in the\r\nsystem.\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 17 of 23\n\nEnumerates logical drives.\r\nFor each enumeration, it performs a breadth-first search to wipe the files in the logical drive while ignoring files\r\nlocated in the \"%HOMEDRIVE%\\Windows\" directory.\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 18 of 23\n\nPerforms breadth-first search wiping.\r\nIt also only wipes files that have specific file extensions:\r\n.HTML .HTM .SHTML .XHTML .PHTML .PHP .JSP .ASP .PHPS .PHP5 .ASPX .PHP4 .PHP6 .PHP7 .PHP3\r\n.DOC .DOCX .XLS .XLSX .PPT .PPTX .PST .OST .MSG .EML .VSD .VSDX .TXT .CSV .RTF .WKS .WK1\r\n.PDF .DWG .ONETOC2 .SNT .JPEG .JPG .DOCB .DOCM .DOT .DOTM .DOTX .XLSM .XLSB .XLW .XLT\r\n.XLM .XLC .XLTX .XLTM .PPTM .POT .PPS .PPSM .PPSX .PPAM .POTX .POTM .EDB .HWP .602 .SXI .STI\r\n.SLDX .SLDM .BMP .PNG .GIF .RAW .CGM .SLN .TIF .TIFF .NEF .PSD .AI .SVG .DJVU .SH .CLASS .JAR\r\n.BRD .SCH .DCH .DIP .PL .VB .VBS .PS1 .BAT .CMD .JS .ASM .H .PAS .CPP .C .CS .SUO .ASC .LAY6 .LAY\r\n.MML .SXM .OTG .ODG .UOP .STD .SXD .OTP .ODP .WB2 .SLK .DIF .STC .SXC .OTS .ODS .3DM .MAX\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 19 of 23\n\n.3DS .UOT .STW .SXW .OTT .ODT .PEM .P12 .CSR .CRT .KEY .PFX .DER .OGG .RB .GO .JAVA .INC .WAR\r\n.PY .KDBX .INI .YML .PPK .LOG .VDI .VMDK .VHD .HDD .NVRAM .VMSD .VMSN .VMSS .VMTM\r\n.VMX .VMXF .VSWP .VMTX .VMEM .MDF .IBD .MYI .MYD .FRM .SAV .ODB .DBF .DB .MDB .ACCDB\r\n.SQL .SQLITEDB .SQLITE3 .LDF .SQ3 .ARC .PAQ .BZ2 .TBK .BAK .TAR .TGZ .GZ .7Z .RAR .ZIP\r\n.BACKUP .ISO .VCD .BZ .CONFIG\r\n192 file extensions\r\nComparing file extension.\r\nThe wiper will overwrite the content of each file with 1MB worth of 0xCC bytes and rename them by appending\r\neach filename with a random four-byte extension.\r\nWiping the file.\r\nAfter the wiping process completes, it performs a delayed command execution using Ping to delete\r\n\"InstallerUtil.exe\" from the %TEMP% directory.\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 20 of 23\n\nDeleting InstallerUtil.exe.\r\nFinally, it attempts to flush all file buffers to disk and stop all running processes (including itself) by calling\r\nExitWindowsEx Windows API with EWX_SHUTDOWN flag.\r\nCalling ExitWindowsEx with EWX_SHUTDOWN.\r\nAdditional behavior and network proliferation\r\nDuring the investigation, CERT-UA observed unauthorized behaviour by legitimate accounts. As seen in the .bash\r\nhistory file shown below, the attacker added a new user, added it to a privileged group, and downloaded a file.\r\nScreenshot from CERT-UA advisory\r\nAs stated by CERT-UA, it is likely that the attackers utilized the Impacket tools \"wmiexec\" and \"smbexec\" to\r\nproliferate across networks. Below is a screenshot from their advisory, showing Sysmon logs that may indicate the\r\nuse of these tools.\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 21 of 23\n\nScreenshot from CERT-UA advisory\r\nMitigation \u0026 Recommendations\r\nCisco Talos supports the recommendations made by CISA that organizations with interests in the area carefully\r\nmonitor and isolate systems with connections to Ukraine due to the ongoing challenges they face. This mirrors the\r\nrecommendations we made in 2017 shortly after NotPetya and our analysis of the malware's effects.\r\nThose recommendations still hold true today: Systems in Ukraine face challenges that may not apply to those in\r\nother regions of the world, and extra protections and precautionary measures need to be applied. Making sure\r\nthose systems are both patched and hardened is of the utmost importance to help mitigate the threats the region\r\nfaces.\r\nIndicators of Compromise (IoCs)\r\nHashes\r\nStage 1 BootPatch (MBR Wiper)\r\na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92\r\nStage 2 WhisperGate (Downloader)\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 22 of 23\n\ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78\r\nStage 3 WhisperPack(Loader DLL)\r\n923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 (Reversed DLL)\r\n9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d (DLL)\r\nStage 4 WhisperKill (File Wiper)\r\n34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907\r\nSource: https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html\r\nPage 23 of 23\n\nPerforms breadth-first It also only wipes search wiping. files that have specific file extensions:     \n.HTML .HTM .SHTML .XHTML .PHTML .PHP .JSP .ASP .PHPS .PHP5 .ASPX .PHP4 .PHP6 .PHP7 .PHP3 \n.DOC .DOCX .XLS .XLSX .PPT .PPTX .PST .OST .MSG .EML .VSD .VSDX .TXT .CSV .RTF .WKS .WK1 \n.PDF .DWG .ONETOC2 .SNT .JPEG .JPG .DOCB .DOCM .DOT .DOTM .DOTX .XLSM .XLSB .XLW .XLT\n.XLM .XLC .XLTX .XLTM .PPTM .POT .PPS .PPSM .PPSX .PPAM .POTX .POTM .EDB .HWP .602 .SXI .STI\n.SLDX .SLDM .BMP .PNG .GIF .RAW .CGM .SLN .TIF .TIFF .NEF .PSD .AI .SVG .DJVU .SH .CLASS .JAR\n.BRD .SCH .DCH .DIP .PL .VB .VBS .PS1 .BAT .CMD .JS .ASM .H .PAS .CPP .C .CS .SUO .ASC .LAY6 .LAY\n.MML .SXM .OTG .ODG .UOP .STD .SXD .OTP .ODP .WB2 .SLK .DIF .STC .SXC .OTS .ODS .3DM .MAX \n   Page 19 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html"
	],
	"report_names": [
		"ukraine-campaign-delivers-defacement.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434787,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/092274a372bedce53033430ca2c2da734c444047.pdf",
		"text": "https://archive.orkl.eu/092274a372bedce53033430ca2c2da734c444047.txt",
		"img": "https://archive.orkl.eu/092274a372bedce53033430ca2c2da734c444047.jpg"
	}
}