{
	"id": "719d9f16-3291-4252-8cb0-c1cab31ef2a8",
	"created_at": "2026-04-06T00:07:02.810395Z",
	"updated_at": "2026-04-10T03:30:33.440291Z",
	"deleted_at": null,
	"sha1_hash": "366c891a13f7c9364001803853aec11b49db0f33",
	"title": "StalinLocker Deletes Your Files Unless You Enter the Right Code",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 945931,
	"plain_text": "StalinLocker Deletes Your Files Unless You Enter the Right Code\r\nBy Lawrence Abrams\r\nPublished: 2018-05-14 · Archived: 2026-04-05 13:39:00 UTC\r\nA new in-development screenlocker/wiper called StalinLocker, or StalinScreamer, was discovered by\r\nMalwareHunterTeam that gives you 10 minutes to enter a code or it will try to delete the contents of the drives on the\r\ncomputer. While running, it will display screen that shows Stalin while playing the USSR anthem and displaying a\r\ncountdown until files are deleted.\r\nStalinLocker/StalinScreamer Lock Screen\r\nWhen executed, StalinLocker will perform the following actions:\r\nExtract the \"USSR_Anthem.mp3\" file to the %UserProfile%\\AppData\\Local folder and play it. This anthem is the\r\nsame one heard in this YouTube video, but of much worse quality.\r\nIt will copy itself to %UserProfile%\\AppData\\Local\\stalin.exe and create an autorun called \"Stalin\" that starts the\r\nscreenlocker/wiper when the user logs into the computer.\r\nIt will create %UserProfile%\\AppData\\Local\\fl.dat and write the current amount of seconds left divided by 3. So\r\neach time you start the program, the countdown is significantly less.\r\nAttempt to terminate processes other than Skype or Discord.\r\nTerminate Explorer.exe and taskmgr.exe.\r\nTries to create a Scheduled Task called \"Driver Update\" to launch Stalin.exe. This part of the code is currently\r\nthrowing errors.\r\nStalinLocker will then display the above lock screen that contains a 10 minutes countdown until your files are deleted or you\r\nenter a code. According to MalwareHunterTeam, this code is derived by subtracting the current date of when the program\r\nwas executed by the date 1922.12.30. If the user enters the correct code, the wiper will exit and delete the autorun.\r\nhttps://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/\r\nPage 1 of 5\n\nEnter Code Source\r\nOn the other hand, if the code is not entered by the time the countdown reaches zero, the screenlocker will attempt to delete\r\nall of the files on each drive letter found on the computer. This is done by going through all drive letters from A to Z and\r\ndeleting any that are accessible as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/\r\nPage 2 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/\r\nPage 3 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nSource code to delete files on drive letters A-Z\r\nThis wiper is currently in development, but could easily be made into a workable state. Thankfully, most security vendors\r\nare detecting this either through definitions or heuristics, so make sure that you have an anti-virus program installed and\r\nupdated to the latest definitions.\r\nIOCs\r\nHashes:\r\nSHA256: 853177d9a42fab0d8d62a190894de5c27ec203240df0d9e70154a675823adf04\r\nAssociated Files:\r\n%UserProfile%\\AppData\\Local\\fl.dat\r\n%UserProfile%\\AppData\\Local\\stalin.exe\r\n%UserProfile%\\AppData\\Local\\USSR_Anthem.mp3\r\nAssociated Registry Entries:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Stalin %UserProfile%\\AppData\\Local\\stalin.exe\r\nhttps://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/\r\nhttps://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/"
	],
	"report_names": [
		"stalinlocker-deletes-your-files-unless-you-enter-the-right-code"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434022,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/366c891a13f7c9364001803853aec11b49db0f33.pdf",
		"text": "https://archive.orkl.eu/366c891a13f7c9364001803853aec11b49db0f33.txt",
		"img": "https://archive.orkl.eu/366c891a13f7c9364001803853aec11b49db0f33.jpg"
	}
}