{
	"id": "1db53c28-76f2-4958-ac33-374b592b3878",
	"created_at": "2026-04-06T00:10:45.76147Z",
	"updated_at": "2026-04-10T03:35:26.32726Z",
	"deleted_at": null,
	"sha1_hash": "5634b2c7d5d07b64d14f042f3d0771ea3d229c83",
	"title": "Threat Brief: Ongoing Russia and Ukraine Cyber Activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 276570,
	"plain_text": "Threat Brief: Ongoing Russia and Ukraine Cyber Activity\r\nBy Robert Falcone, Mike Harbison, Josh Grunzweig\r\nPublished: 2022-01-20 · Archived: 2026-04-05 13:57:25 UTC\r\nExecutive Summary\r\nBeginning on Jan. 14, 2022, reports began emerging about a series of attacks targeting numerous Ukrainian\r\ngovernment websites. As a result of these attacks, numerous government websites were found to be either defaced\r\nor inaccessible. As a result of this, the government of Ukraine formally accused Russia of masterminding these\r\nattacks against their websites.\r\nA day later, public reporting outlined new malware called WhisperGate that originally was observed on Jan. 13,\r\n2022. This malware disables Windows Defender Threat Protection, is destructive in nature and was discovered to\r\nhave targeted multiple organizations in Ukraine. Microsoft has publicly attributed the use of this custom malware\r\nto a threat actor they refer to as DEV-0586.\r\nThough both attacks have targeted Ukrainian organizations, the two threats have so far been implemented in\r\nseparate situations.\r\nAs a result of these events, Palo Alto Networks researchers took immediate action to ensure that customers\r\nanywhere in the world can be appropriately protected against these reported threats, however they may be\r\nexploited. These attacks ultimately resulted in the investigation of the following two threats:\r\n1. CVE-2021-32648, a vulnerability in the OctoberCMS content management system (CMS) platform, which\r\nis believed to be behind the attacks against Ukrainian government websites.\r\n2. The WhisperGate malware, attributed to the DEV-0586 threat actor.\r\nPalo Alto Networks customers can use Xpanse or Threat Prevention for the Next-Generation Firewall to identify\r\nvulnerable and/or internet-facing instances of OctoberCMS. Protections against WhisperGate malware have been\r\nincluded in Cortex XDR, as well as in the WildFire and Advanced URL Filtering subscriptions for the Next-Generation Firewall. There is a Cortex XSOAR pack available to assist with detecting and mitigating both threats.\r\nThreats targeting Ukraine discussed Relevant CVEs/malware/affected software\r\nAttacks against Ukrainian government\r\nwebsites\r\nCVE-2021-32648, affecting OctoberCMS\r\nAttacks against multiple organizations in\r\nUkraine\r\nWhisperGate malware, disabling Windows Defender Threat\r\nProtection\r\nCVE-2021-32648 Vulnerability\r\nhttps://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/\r\nPage 1 of 8\n\nThe CVE-2021-32648 vulnerability lies within the OctoberCMS platform prior to version 1.0.472 and results in\r\nan attacker gaining access to any account via a specially crafted account password reset request. This vulnerability\r\nis believed to have allowed threat actors to gain access to the underlying websites leveraged by the Ukraine\r\ngovernment.\r\nOnce the vulnerability was discovered, Palo Alto Networks threat researchers quickly began reverse-engineering\r\nthe patch that remediated this vulnerability and were able to produce a working proof of concept (PoC) in a very\r\nshort time. Later that day, a public PoC surfaced, allowing organizations to better understand this vulnerability and\r\nhow it is exploited. Using our PoC, we created the following demonstration video of how a malicious actor would\r\nexploit the CVE-2021-32648 vulnerability, log into the compromised OctoberCMS account and to deface a web\r\npage hosted by the server:\r\nTo determine how this vulnerability was exploited, we analyzed the patch that developers added to OctoberCMS\r\nversion 1.0.472 to mitigate the CVE-2021-32648 vulnerability. We discovered that the vulnerable code existed in\r\nthe Auth/Models/User.php file within the October Rain library of OctoberCMS. The code that exposes this\r\nvulnerability is within a function named checkResetPasswordCode, specifically, line 281 in User.php. The\r\nfollowing line of code attempts to validate the inbound password reset request by comparing the reset code\r\nsubmitted within the HTTP request with the reset code generated by OctoberCMS during a legitimate reset\r\nprocess:\r\nTo exploit this vulnerability, the actor would simply supply a boolean true value as the reset code within a custom-crafted HTTP request to reset the password of an account. By supplying the boolean true, the comparison between\r\nboolean true and the reset code string results in a boolean true, even though the two variables have different types.\r\nThis effectively validates the actor’s inbound password reset request, which allows the actor to then change the\r\npassword\r\nhttps://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/\r\nPage 2 of 8\n\nTo fix this vulnerability in version 1.0.472, the OctoberCMS developer changed the line of code above to use ===\r\ninstead of == when comparing the values of the reset code provided by the user via an HTTP POST request. The\r\ndifference between === and == involves the === comparing the value and type of value of the variable, not just\r\nthe value, as happens when using ==. To demonstrate the difference, the following two commands run PHP code\r\nto show that a comparison of the string code with boolean true using == results in a boolean true, while the same\r\ncomparison using === results in a boolean false:\r\nAs a result of the analysis of the CVE-2021-32648 vulnerability, various product protections were created or\r\nenhanced. More information about these protections can be found within the Mitigation Actions section of the\r\nbriefing.\r\nWhisperGate Malware\r\nFirst observed by Microsoft on Jan. 13, 2022, WhisperGate malware is computer network attack (CNA) malware\r\naimed at deleting Microsoft Windows Defender and corrupting files on the target. It consists of two samples: One\r\nappears as ransomware while the other is a beaconing implant used to deliver an in-memory Microsoft\r\nIntermediate Language (MSIL) payload. The in-memory code uses Living Off the Land Binaries (LOLBINs) to\r\nevade detection and also performs anti-analysis techniques, as it will fail to detonate when certain monitoring\r\ntools exist. At the time of writing, there are two known samples identified as WhisperGate: Stage1.exe and\r\nStage2.exe. Stage1.exe purports to be ransomware, as it overwrites the target’s master boot record with 512 bytes\r\nand upon reboot displays the following ransom note:\r\nFigure 1. Stage 1 ransom note.\r\nStage2.exe is a beaconing implant that performs an HTTPS connection to download a JPG file hosted on\r\nDiscord’s content delivery network (CDN). Discord’s CDN is a user-created service that allows users to host\r\nattachments and is not malicious. The hosted file is retrieved from the following URL:\r\nhxxps://cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg\r\nFile Tbopbh.jpg is the malicious payload that is in-memory loaded and kicks off the destructive capabilities. The\r\nfollowing patterns of activities are associated with this payload:\r\nhttps://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/\r\nPage 3 of 8\n\n1. File InstallUtil.exe is copied to the host’s %TEMP% directory, e.g. C:\\Users\\\r\n[USERNAME]\\AppData\\Local\\Temp. This file is a legitimate Microsoft Windows binary.\r\n2. Two instances of PowerShell are spawned with an encoded command to sleep for 10 seconds, e.g.\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -enc\r\nUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==\r\n3. A Visual Basic Script (VBS) is created in C:\\Users\\[USERNAME]\\AppData\\Local\\Temp named:\r\nNmddfrqqrbyjeygggda.vbs\r\n4. Process wscript.exe is used to execute the VBS script in step 3. The VBS script is used to call PowerShell to set\r\nWindows Defender exclusion path to C:\\ e.g. C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"\r\nSet-MpPreference -ExclusionPath 'C:\\'\r\n5. AdvancedRun.exe is created and written to the C:\\Users\\[USERNAME]\\AppData\\Local\\Temp directory.\r\n6. AdvancedRun.exe is used to execute PowerShell.exe to delete and stop Windows Defender. The following\r\ncommand parameters are passed to AdvancedRun:\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" /WindowState 0 /CommandLine \"rmdir\r\n'C:\\ProgramData\\Microsoft\\Windows Defender' -Recurse\" /StartDirectory \"\" /RunAs 8 /Run\r\n\"C:\\Users\\USERNAME]AppData\\Local\\Temp\\AdvancedRun.exe\" /EXEFilename\r\n\"C:\\Windows\\System32\\sc.exe\" /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8\r\n/Run\r\n7. PowerShell process used to delete Windows Defender, e.g.\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe rmdir 'C:\\ProgramData\\Microsoft\\Windows\r\nDefender' -Recurse\r\n8. File InstallUtil.exe running from C:\\Users\\[USERNAME]\\AppData\\Local\\Temp directory. The in-memory\r\npayload (Tbopbh.jpg) is running within the context of the InstallUtil.exe process\r\n9. Multiple instances of cmd.exe calling Ping.exe to delete file InstallUtil.exe, e.g. cmd.exe /min /C ping\r\n111.111.111[.]111 -n 5 -w 10 \u003e Nul \u0026 Del /f /q %TEMP%\\InstallUtil.exe\r\n10. File AdvancedRun.exe is deleted from the C:\\Users\\[USERNAME]\\AppData\\Local\\Temp directory by the\r\nstage2.exe binary.\r\n11. ICMP traffic to host: 111.111.111[.]111\r\n12. All files and directories, including those on mounted USB drives, excluding the floppy drive (A:) are targeted.\r\nThe following file extensions are overwritten with a one-byte value of 0xCC.\r\nFigure 2. Targeted file extensions.\r\nhttps://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/\r\nPage 4 of 8\n\n13. Targeted files greater than one megabyte are truncated to one megabyte when overwritten.\r\n14. Virus \u0026 Threat protection is no longer available from Windows Security.\r\nFigure 3. Virus \u0026 Threat Protection removed.\r\nMitigation Actions\r\nOrganizations running OctoberCMS prior to Build 472 and v1.1.5 are encouraged to update to the latest version.\r\nAdditionally, in order for this vulnerability to be exploited, the web server must be running PHP below 7.4.\r\nPalo Alto Networks customers receive protections against the OctoberCMS vulnerability in the following ways:\r\nThreat ID 92199 was released to identify this vulnerability\r\nXpanse has a policy that customers can enable to detect internet-facing instances of OctoberCMS\r\nPalo Alto Networks customers receive protections against WhisperGate malware in the following ways:\r\nWildFire appropriately identifies WhisperGate samples as malicious.\r\nAll observed malicious Discord URLs have been flagged as malicious.\r\nCortex XDR prevents this malware from executing using machine learning-based local analysis, the\r\nBehavioral Threat Protection module and the ransomware protection module.\r\nThe Cortex XSOAR \"WhisperGate \u0026 CVE-2021-32648'' pack can help automatically detect and mitigate the two\r\nthreats. Read more on the XSOAR marketplace.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, APAC:\r\n+65.6983.8730, or Japan: +81.50.1790.0200.\r\nHunting for WhisperGate\r\nhttps://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/\r\nPage 5 of 8\n\nPalo Alto Networks Cortex XDR customers may leverage the following XQL queries, written by the Cortex\r\nManaged Threat Hunting service experts, to hunt their datasets for indicators related to WhisperGate malware:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n// Description: WhisperGate - Self Delete\r\nconfig case_sensitive = false\r\n|dataset = xdr_data\r\n|filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START\r\n|filter (action_process_image_name = \"cmd.exe\" OR action_process_image_name = \"ping.exe\") and\r\naction_process_image_command_line contains \"111.111.111.111 -n 5 -w 10\"\r\n|fields _time, agent_hostname, actor_effective_username, actor_process_image_path,\r\nactor_process_image_sha256,action_process_image_path, action_process_image_command_line,\r\naction_process_image_sha256\r\n// Description: WhisperGate - PowerShell Sleep\r\nconfig case_sensitive = false\r\n|dataset = xdr_data\r\n|filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START\r\n|filter action_process_image_name = \"powershell.exe\" and action_process_image_command_line\r\ncontains \"UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==\"\r\n|fields _time, agent_hostname, actor_effective_username, actor_process_image_path,\r\nactor_process_image_sha256,action_process_image_path, action_process_image_command_line,\r\naction_process_image_sha256\r\n// Description: WhisperGate - InstallUtil (Wiper)\r\nconfig case_sensitive = false\r\n|dataset = xdr_data\r\n|filter (event_type = FILE and (event_sub_type = ENUM.FILE_WRITE or event_sub_type =\r\nENUM.FILE_CREATE_NEW) and (action_file_name = \"installutil.exe\" AND action_file_path\r\ncontains \"\\appdata\\local\\temp\\installutil.exe\")) or ((event_type = ENUM.PROCESS and event_sub_type\r\n= ENUM.PROCESS_START) and action_process_image_name = \"installutil.exe\" and\r\naction_process_image_path contains \"\\appdata\\local\\temp\\installutil.exe\")\r\n|dedup agent_id, actor_process_image_command_line, actor_process_image_sha256, action_file_path,\r\naction_file_sha256, action_process_image_sha256, action_process_image_command_line\r\nhttps://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/\r\nPage 6 of 8\n\n25\r\n26\r\n27\r\n28\r\n29\r\n|fields _time, agent_id,agent_hostname, actor_effective_username, action_file_name, action_file_path,\r\naction_file_sha256, actor_process_image_path, actor_process_image_command_line,\r\nactor_process_image_sha256, action_process_image_path, action_process_image_command_line,\r\naction_process_image_sha256\r\n// Description: WhisperGate - Disable Defender\r\nconfig case_sensitive = false\r\n|dataset = xdr_data\r\n|filter ((event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START) and\r\n(action_process_image_name = \"advancedrun.exe\" and (action_process_image_command_line contains\r\n\"stop windefend\" OR action_process_image_command_line contains \"mdir\r\n'c:\\programdata\\microsoft\\windows defender\")) or (action_process_image_name = \"wscript.exe\" and\r\naction_process_image_command_line contains \"nmddfrqqrbyjeygggda.vbs\")) or (event_type = FILE\r\nand (event_sub_type = ENUM.FILE_WRITE or event_sub_type = ENUM.FILE_CREATE_NEW) and\r\n(action_file_name = \"nmddfrqqrbyjeygggda.vbs\"))\r\n|dedup agent_id, actor_process_image_command_line, actor_process_image_sha256, action_file_path,\r\naction_file_sha256, action_process_image_sha256, action_process_image_command_line\r\n|fields _time, agent_id,agent_hostname, actor_effective_username, action_file_name, action_file_path,\r\naction_file_sha256, actor_process_image_path, actor_process_image_command_line,\r\nactor_process_image_sha256, action_process_image_path, action_process_image_command_line,\r\naction_process_image_sha256\r\nConclusion\r\nThe Unit 42 Threat Intelligence team remains vigilant in monitoring this evolving situation, is actively hunting for\r\nknown indicators from recent events and is ready to put protections in place to thwart attacks against our\r\ncustomers.\r\nProduct-specific protections have been implemented as a result of research performed in recent days, and those\r\nprotections will be augmented as needed as more details come to light. Palo Alto Networks will update this Threat\r\nBrief with new information and recommendations as they become available.\r\nTable of Contents\r\nExecutive Summary\r\nCVE-2021-32648 Vulnerability\r\nWhisperGate Malware\r\nMitigation Actions\r\nhttps://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/\r\nPage 7 of 8\n\nHunting for WhisperGate\r\nConclusion\r\nAdditional Resources\r\nCVE-2021-32648 Information\r\nWhisperGate Information\r\nRelated Articles\r\nUnderstanding the Russian Cyberthreat to the 2026 Winter Olympics\r\n01flip: Multi-Platform Ransomware Written in Rust\r\nYou Thought It Was Over? Authentication Coercion Keeps Evolving\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/\r\nhttps://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/"
	],
	"report_names": [
		"ukraine-cyber-conflict-cve-2021-32648-whispergate"
	],
	"threat_actors": [
		{
			"id": "c28760b2-5ec6-42ad-852f-be00372a7ce4",
			"created_at": "2022-10-27T08:27:13.172734Z",
			"updated_at": "2026-04-10T02:00:05.279557Z",
			"deleted_at": null,
			"main_name": "Ember Bear",
			"aliases": [
				"Ember Bear",
				"UNC2589",
				"Bleeding Bear",
				"DEV-0586",
				"Cadet Blizzard",
				"Frozenvista",
				"UAC-0056"
			],
			"source_name": "MITRE:Ember Bear",
			"tools": [
				"P.A.S. Webshell",
				"CrackMapExec",
				"ngrok",
				"reGeorg",
				"WhisperGate",
				"Saint Bot",
				"PsExec",
				"Rclone",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "bdbf873a-048d-4c5d-9d92-922327cc83a8",
			"created_at": "2023-01-06T13:46:39.387696Z",
			"updated_at": "2026-04-10T02:00:03.310459Z",
			"deleted_at": null,
			"main_name": "DEV-0586",
			"aliases": [
				"Ruinous Ursa",
				"Cadet Blizzard"
			],
			"source_name": "MISPGALAXY:DEV-0586",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "025b7171-98f8-4391-adc2-66333629c715",
			"created_at": "2023-06-23T02:04:34.120175Z",
			"updated_at": "2026-04-10T02:00:04.599019Z",
			"deleted_at": null,
			"main_name": "Cadet Blizzard",
			"aliases": [
				"DEV-0586",
				"Operation Bleeding Bear",
				"Ruinous Ursa"
			],
			"source_name": "ETDA:Cadet Blizzard",
			"tools": [
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"P0wnyshell",
				"PAYWIPE",
				"Ponyshell",
				"Pownyshell",
				"WhisperGate",
				"WhisperKill",
				"netcat",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434245,
	"ts_updated_at": 1775792126,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5634b2c7d5d07b64d14f042f3d0771ea3d229c83.pdf",
		"text": "https://archive.orkl.eu/5634b2c7d5d07b64d14f042f3d0771ea3d229c83.txt",
		"img": "https://archive.orkl.eu/5634b2c7d5d07b64d14f042f3d0771ea3d229c83.jpg"
	}
}