{ "id": "8cb9ac5c-b5dd-45a5-80d9-56dbdacdbc5a", "created_at": "2026-04-06T00:19:23.011668Z", "updated_at": "2026-04-10T03:35:26.26606Z", "deleted_at": null, "sha1_hash": "38b4015918d3950d0e496899c4e9c1c3cd097409", "title": "Operation Bleeding Bear", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2297056, "plain_text": "Operation Bleeding Bear\r\nBy Daniel Stepanic, James Spiteri, Joe Desimone, Mark Mager, Andrew Pease\r\nPublished: 2022-12-06 · Archived: 2026-04-05 21:37:23 UTC\r\nPrincipaux points abordés\r\nElastic Security provides new analysis and insights into targeted campaign against Ukraine organizations with\r\ndestructive malware reported over the weekend of Jan 15, 2022\r\nTechniques observed include process hollowing, tampering with Windows Defender, using a Master Boot\r\nRecord (MBR) wiper, and file corruptor component\r\nElastic Security prevents each stage of the described campaign using prebuilt endpoint protection features\r\nAperçu\r\nhttps://www.elastic.co/fr/security-labs/operation-bleeding-bear\r\nPage 1 of 12\n\nOver this past weekend (1/15/2022), Microsoft released details of a new campaign targeting Ukrainian government\r\nentities and organizations with destructive malware. In a multi-staged attack, one malware component known as\r\nWhisperGate utilizes a wiping capability on the Master Boot Record (MBR), making any machine impacted inoperable\r\nafter boot-up.\r\nWithin another stage, a file infector component is used to corrupt files in specific directories with specific file\r\nextensions. The elements used in this campaign lack the common characteristics of a ransomware compromise – in this\r\ncase the adversary uses the same Bitcoin address for each victim and offers no sign of intent to decrypt the victim’s\r\nmachine.\r\nThe Ukrainian National Cyber Security Coordination Center has been referring to this threat activity on its official\r\nTwitter and Facebook accounts as Operation Bleeding Bear.\r\nTranslation: Update information on the cyber attack on January 13-14 on Ukrainian infrastructure. For a\r\ncoordinated response report the incident: report@ncscc.gov.ua\r\nElastic users are fully protected from attacks like these through our advanced malware detection and Ransomware\r\nProtection capabilities in the platform. The Elastic Security team continues to monitor these events. This case\r\nhighlights the importance of prevention when it’s up against ransomware and malware with destructive capabilities.\r\nStage 1: WhisperGate MBR payload\r\nThe Master Boot Record (MBR) is software that executes stored start-up information and, most importantly, informs\r\nthe system of the location of the bootable partition on disk that contains the user’s operating system. If tampered with,\r\nthis can result in the system being inoperable – a common tactic for malware and ransomware campaigns over the\r\nyears to interrupt operation of the infected system.\r\nThe stage 1 binary is named stage1.exe and has low complexity. A 8192 byte buffer containing the new MBR data that\r\nincludes the ransom note is allocated on the stack. A file handle is retrieved from CreateFileW pointing to the first\r\nphysical drive which represents the MBR. That file handle is then called by WriteFile which takes only 512 bytes from\r\nthe buffer writing over the Master Boot Record.\r\nhttps://www.elastic.co/fr/security-labs/operation-bleeding-bear\r\nPage 2 of 12\n\nMalware analysis breakdown (Stages 1-4)\r\nThe host is subsequently rendered inoperable during the next boot-up sequence. Below is a screenshot showing the\r\nransom note from an affected virtual machine.\r\nContained within the ransom note are instructions soliciting payment to a bitcoin wallet address of\r\n1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv. The wallet does not appear to have received funds from victims as of the\r\npublication of this post.\r\nhttps://www.elastic.co/fr/security-labs/operation-bleeding-bear\r\nPage 3 of 12\n\nStage 2/3: Discord downloader and injector\r\nOnce the payload has gained a foothold, further destructive capabilities are facilitated by the stage 2 binary, called\r\nstage2.exe. This binary pulls down and launches a payload hosted via the Discord content delivery network, a recently\r\nreported approach which is increasingly being used by malicious actors.\r\nThe obfuscated .NET payload (described as Stage 3 below) is then executed in memory, setting off a number of events\r\nincluding:\r\nWriting and executing a VBS script that uses PowerShell to add a Windows Defender exclusion on the root\r\ndirectory (C:)\r\nWriting and executing a VBS script\r\n\"C:\\Windows\\System32\\WScript.exe\"\"C:\\Users\\jim\\AppData\\Local\\Temp\\Nmddfrqqrbyjeygggda.vbs\"\r\nhttps://www.elastic.co/fr/security-labs/operation-bleeding-bear\r\nPage 4 of 12\n\nUses PowerShell to add a Windows Defender exclusion\r\npowershell.exe Set-MpPreference -ExclusionPath 'C:\\'\r\nAdvancedRun, a program used to run Windows applications with different settings, is then dropped to disk and\r\nexecuted in order to launch the Service Control Manager and stop the Windows Defender service (WinDefend).\r\nAdvancedRun is used to stop Windows Defender\r\n\"C:\\Users\\jim\\AppData\\Local\\Temp\\AdvancedRun.exe\" /EXEFilename \"C:\\Windows\\System32\\sc.exe\" `\r\n /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8 /Run\r\nAdvancedRun is used again when launching PowerShell to recursively delete the Windows Defender directory and its\r\nfiles.\r\nAdvancedRun deleting the Windows Defender directory\r\n\"C:\\Users\\jim\\AppData\\Local\\Temp\\AdvancedRun.exe\" `\r\n /EXEFilename \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" /WindowState 0 `\r\n /CommandLine \"rmdir 'C:\\ProgramData\\Microsoft\\Windows Defender' -Recurse\" `\r\n /StartDirectory \"\" /RunAs 8 /Run\r\nCopies InstallUtil.exe is a command-line utility that allows users to install and uninstall server resources from the local\r\nmachine into the user’s %TEMP% directory. This action leverages the file for process hollowing by launching it in a\r\nsuspended state.\r\nIt then proceeds to allocate memory (VirtualAllocEx , write the file corruptor payload (described as the Final Stage\r\nbelow) into memory (WriteProcessMemory), modify the thread entry point (SetThreadContext) to point to the file\r\ncorruptor entry point, and start execution of the file corruptor (ResumeThread).\r\nhttps://www.elastic.co/fr/security-labs/operation-bleeding-bear\r\nPage 5 of 12\n\nFinal stage: File corruptor\r\nThe final file corruptor payload is loaded in memory via process hollowing to the InstallUtil process. The file\r\ncorruptor:\r\nTargets any local hard drives, attached USB drives, or mounted network shares\r\nScans directories for files matching internal hard-coded extension list (excluding the Windows folder)\r\n.3DM .3DS .602 .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD\r\n.BZ .BZ2 .C .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF\r\n.DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO\r\n.GZ .H .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX\r\n.KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP\r\n.ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3\r\n.PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX\r\n.PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK\r\n.SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM\r\n.SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD\r\n.VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM\r\n.XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP\r\nOverwrites the start of each targeted file with 1MB of static data (byte 0xCC), regardless of file size\r\nRenames each targeted file to a randomized extension\r\nDeletes self with the command:\r\nOverwriting, renaming, and deleting files\r\ncmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 \u003e Nul \u0026 Del /f /q \u003crunning process path\u003e\r\nhttps://www.elastic.co/fr/security-labs/operation-bleeding-bear\r\nPage 6 of 12\n\nMBR protection with Elastic Security\r\nChanges to the MBR are particularly strong signals of anomalous and destructive activity typically associated with\r\nransomware. To counteract this, Elastic security researchers built an MBR protection component based around these\r\nsignals into our multi-layered ransomware protection feature.\r\nWhen a process attempts to overwrite the contents of the MBR, the prewrite buffer and other associated process\r\nmetadata will be analyzed inline before any changes are written to disk. If the activity is deemed malicious in nature,\r\nthe process will either be terminated immediately (prevention mode) and / or an appropriate ransomware alert will be\r\ngenerated (prevention and detection modes) to allow security operators time to respond.\r\nWhen configured in prevention mode, Elastic Security’s ransomware protection ensures that the integrity of the MBR\r\nis fully preserved, with no changes ever reaching disk thanks to the synchronous framework leveraged by the feature\r\n— effectively preventing the ransomware attack in their tracks as the offending process is terminated.\r\nWhen WriteFile is invoked on PhysicalDrive0 on a host running Elastic Security with ransomware protection enabled,\r\nthe pending change will immediately be analyzed and deemed malicious. Afterwards, the process will be terminated,\r\nthe endpoint user will be alerted via a popup notification, and a ransomware prevention alert will be sent to and stored\r\nin Elasticsearch. The intended ransom note can be easily deciphered after Base64 decoding the contents of the prewrite\r\nbuffer found in the alert within Kibana.\r\nhttps://www.elastic.co/fr/security-labs/operation-bleeding-bear\r\nPage 7 of 12\n\nIt is important to note that while this behaviour is detected by Elastic, it is not specific to this payload and rather the\r\nbehaviour the payload is exhibiting. This increases our chance of being able to detect and prevent malicious behaviors,\r\neven when a static signature of the malware is not known. Threat actors find this kind of control more difficult to evade\r\nthan traditional, signature-based detection and prevention approaches.\r\nObserving WhisperGate in Elastic Security\r\nBy observing the process hash of the stage 1 dropper above\r\n(a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92) via the process.hash function within\r\nElastic Security, we can isolate the ransomware alert and analyze the blocked attempt at overwriting the MBR.\r\nhttps://www.elastic.co/fr/security-labs/operation-bleeding-bear\r\nPage 8 of 12\n\nAs we can see, the data is stored as a Base64 encoded string in Elasticsearch. Decoded, we can see the contents of the\r\nransom note that would be displayed to the end user of an affected system.\r\nhttps://www.elastic.co/fr/security-labs/operation-bleeding-bear\r\nPage 9 of 12\n\nAlert breakdown and defensive recommendations\r\nThe following alerts were triggered in Elastic Security during our investigations:\r\nEndpoint Security Integration Alerts\r\nStage 1 - MBR Wiper\r\n(a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92)\r\nMalware Prevention Alert\r\nRansomware Prevention Alert (MBR overwrite)\r\nStage 2 - Downloader\r\n(dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78)\r\nMalware Prevention Alert\r\nStage 3 + Stage 4 - Injector/File Corruptor\r\n(34CA75A8C190F20B8A7596AFEB255F2228CB2467BD210B2637965B61AC7EA907)\r\nRansomware Prevention Alert (canary files)\r\nMalicious Behaviour Prevention Alert - Binary Masquerading via Untrusted Path\r\nMemory Threat Prevention Alert\r\nPrebuilt Detection Engine Alerts\r\nThe following existing public detection rules can also be used to detect some of the employed techniques:\r\nSuspicious Execution via Windows Management Instrumentation (WMI)\r\nWindows Defender Exclusions Added via PowerShell\r\nConnexion à des services Web couramment utilisés\r\nExécution d'un processus à partir d'un répertoire inhabituel\r\nWindows Script Executing PowerShell\r\nDisabling Windows Defender Security Settings via PowerShell\r\nRequêtes de détection\r\nDetect attempt to tamper with Windows defender settings via NirSoft AdvancedRun executed by the Stage 3 injector:\r\nDetect attempts to tamper with Windows Defender\r\nprocess where event.type == \"start\" and\r\nprocess.pe.original_file_name == \"AdvancedRun.exe\" and\r\nprocess.command_line :\r\nhttps://www.elastic.co/fr/security-labs/operation-bleeding-bear\r\nPage 10 of 12\n\n(\"*rmdir*Windows Defender*Recurse*\",\r\n \"*stop WinDefend*\")\r\nMasquerade as InstallUtil via code injection:\r\nIdentifies code injection with InstallUtil\r\nprocess where event.type == \"start\" and\r\nprocess.pe.original_file_name == \"InstallUtil.exe\" and\r\nnot process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*\"\r\nMITRE ATT\u0026CK\r\nT1561.002 - Disk Structure Wipe\r\nT1562.001 - Disable or Modify Tools\r\nT1047 - Windows Management Instrumentation\r\nT1102 - Web Service\r\nT1055 - Injection de procédé\r\nT1027 - Obfuscated Files or Information\r\nRésumé\r\nThese targeted attacks on Ukraine using destructive malware match a similar pattern observed in the past such as\r\nNotPetya. By leveraging different malware components to wipe machines and corrupt files, it’s apparent there was no\r\nintent to recover any funds, but likely a technique used to sow chaos and doubt into Ukraine’s stability.\r\nAs these events are still ongoing, we wanted to release some initial analysis and observations from our perspective. We\r\nalso wanted to highlight the prevention capabilities of Elastic Security across each stage of this attack, available to\r\neveryone today.\r\nExisting Elastic Security users can access these capabilities within the product. If you’re new to Elastic Security, take a\r\nlook at our Quick Start guides (bite-sized training videos to get you started quickly) or our free fundamentals training\r\ncourses. You can always get started with a free 14-day trial of Elastic Cloud.\r\nIndicateurs\r\nIndicateur Type Note\r\na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 SHA256\r\nStage1.exe\r\n(MBR wiper)\r\ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 SHA256\r\nStage2.exe\r\n(Downloader)\r\nhttps://www.elastic.co/fr/security-labs/operation-bleeding-bear\r\nPage 11 of 12\n\nIndicateur Type Note\r\n923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 SHA256\r\nStage3\r\n(Injector -\r\noriginal)\r\n9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d SHA256\r\nStage3\r\n(Injector -\r\nfixed)\r\n34CA75A8C190F20B8A7596AFEB255F2228CB2467BD210B2637965B61AC7EA907 SHA256\r\nStage4 (File\r\nCorruptor)\r\nÉléments\r\nLes artefacts sont également disponibles au téléchargement en format ECS et STIX dans un paquet zip combiné.\r\nSource: https://www.elastic.co/fr/security-labs/operation-bleeding-bear\r\nhttps://www.elastic.co/fr/security-labs/operation-bleeding-bear\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.elastic.co/fr/security-labs/operation-bleeding-bear" ], "report_names": [ "operation-bleeding-bear" ], "threat_actors": [ { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434763, "ts_updated_at": 1775792126, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/38b4015918d3950d0e496899c4e9c1c3cd097409.pdf", "text": "https://archive.orkl.eu/38b4015918d3950d0e496899c4e9c1c3cd097409.txt", "img": "https://archive.orkl.eu/38b4015918d3950d0e496899c4e9c1c3cd097409.jpg" } }