{ "id": "c60a98fb-c8f4-4d37-928e-d8c319169930", "created_at": "2026-04-06T00:17:01.452502Z", "updated_at": "2026-04-10T03:35:26.2617Z", "deleted_at": null, "sha1_hash": "63e4407cf11fd88b8035f436971383dd13e8c26b", "title": "Netskope Threat Coverage: WhisperGate", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 118974, "plain_text": "Netskope Threat Coverage: WhisperGate\r\nBy Gustavo Palazolo\r\nPublished: 2022-01-26 · Archived: 2026-04-02 11:18:12 UTC\r\nSummary\r\nA new destructive malware called WhisperGate was discovered in mid-January 2022 targeting Ukrainian\r\norganizations. This threat emerged during geopolitical conflicts in Ukraine, masquerading as ransomware.\r\nHowever, this malware has a more destructive nature: wiping files and corrupting disks to prevent the OS from\r\nloading. Ukraine has suffered other cyberattacks that seem to be connected to WhisperGate, such as the\r\ndefacement of many websites connected to their governments.\r\nThis is a multi-stage malware, where one of the payloads is hosted on a Discord server. The preference of\r\nattackers to use cloud services for malicious purposes is increasingly common, as pointed out in an analysis of a\r\nthreat campaign that uses multiple cloud services throughout the attack. The threat group behind WhisperGate is\r\nbeing tracked as DEV-0586, and so far there isn’t any association between this attack to known APT groups. In\r\nthis threat coverage, we analyzed all four stages of WhisperGate to demonstrate how it works.\r\nAnalysis\r\nStage 01\r\nWhisperGate’s first stage is a small executable compiled with MinGW, responsible for corrupting the disk by\r\nwriting code into the Master Boot Record (MBR), which is a small section on disk that contains the Partition\r\nTable and an executable code related to the boot loader.\r\nBinary information about WhisperGate’s first stage\r\nCorrupting the MBR is a simple technique to prevent any Operating System from loading, as the assembly code is\r\nexecuted before the OS.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 1 of 27\n\nThe entire code for the first stage of WhisperGate can fit in a single screenshot, where the malware loads the MBR\r\ndata that will be written to disk, opens a handle to the physical drive with CreateFileW, and uses WriteFile to\r\nwrites the 512 bytes to MBR, which is located in the first sector of the disk.\r\nDisassembled code of WhisperGate’s first stage.\r\nThe MBR stub written to disk includes a 16-bit assembly code and a message.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 2 of 27\n\nData written on disk by WhisperGate\r\nIf we load this data into the disassembler, we can analyze the 16-bit assembly that will be executed once the\r\ncomputer is rebooted, which doesn’t do anything but display a message.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 3 of 27\n\nCode that is executed once the computer is infected with WhisperGate.\r\nOnce the computer is infected, as soon as it restarts, the message is displayed and the OS is prevented from\r\nloading. The message says the hard drive was corrupted and demands a payment of $10,000 via Bitcoin to a\r\nspecific walled address.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 4 of 27\n\nComputer infected with the first stage of WhisperGate.\r\nThis is the only action performed by the first stage of WhisperGate. The following stages were created probably to\r\nadd a certain resilience to the attack in case the first stage fails, as systems may use GUID Partition Table (GPD),\r\nwhich is MBR’s successor.\r\nStage 02\r\nIn this stage, we have a simple .NET downloader for stage 03. The binary contains an expired signature from\r\nMicrosoft, and although it is not shown by identification tools, the file is obfuscated with NetReactor, as pointed\r\nout by OALabs.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 5 of 27\n\nBinary information about WhisperGate’s second stage.\r\nOnce running, it downloads the third stage from a Discord server, named “Tbopbh.jpg”.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 6 of 27\n\nWhisperGate’s .NET downloader.\r\nAfter the download, the malware loads the binary as a .NET assembly and executes the method named\r\n“Ylfwdwgmpilzyaph”.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 7 of 27\n\nMalware executing the third stage of WhisperGate\r\nStage 03\r\nHere we have a 32-bit DLL, also developed in .NET. Since this file is directly loaded by the second stage as a\r\n.NET assembly, the DLL doesn’t have an entry point, which requires some adjustments to make dynamic analysis\r\nfeasible.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 8 of 27\n\nBinary information about WhisperGate’s third stage.\r\nAs shown in the image above, the file is protected with Eazfuscator, likely to hinder researchers’ analysis.\r\nSearching throughout the decompiled code, we can find the same method that is executed by the second stage.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 9 of 27\n\nMain function from the third stage of WhisperGate.\r\nOnce running, it checks if the process is running as an Administrator. If it’s not the case, it launches itself with\r\nelevated permissions and exits the process.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 10 of 27\n\nMalware checking for administrative permissions.\r\nThen, it drops a VBS named “Nmddfrqqrbyjeygggda.vbs” into the Windows temporary folder, containing a\r\nsimple PowerShell code that adds the path “C:\\” to Windows Defender’s exclusion list.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 11 of 27\n\nSimple VBS / PowerShell to bypass Windows Defender.\r\nIt also drops an executable named “AdvancedRun.exe” to the same directory, which is a tool from NirSoft to\r\nexecute programs with different settings. WhisperGate uses this tool to execute commands in the\r\n“TrustedInstaller” group context.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 12 of 27\n\nUsage of AvancedRun tool, by NirSoft.\r\nIt executes two commands with this tool, both as an attempt to disable Windows Defender. The first one tries to\r\nstop Defender’s service, and the second tries to delete its respective folder.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 13 of 27\n\nCommands executed with AdvancedRun.\r\nThen, WhisperGate copies “InstallUtil.exe” to Windows temporary folder, which is a binary from .NET\r\nFramework.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 14 of 27\n\nCopying InstallUtil executable to Windows temporary folder.\r\nAnd finally, WhisperGate’s last stage is injected into an instance of the InstallUtil’s process. The payload is stored\r\nwithin an encrypted resource, where all the bytes are reversed and compressed with Gzip.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 15 of 27\n\nMalware loading WhisperGate’s last stage.\r\nStage 04\r\nThe binary used in this stage is quite similar to the first one in terms of compiler and linker.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 16 of 27\n\nWhisperGate’s last stage.\r\nLooking at the main function of the malware, we have two functions being called prior to the end of the execution.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 17 of 27\n\nWhisperGate’s main function.\r\nAt the function we named “mw_main_routine”, the malware starts by listing the drives with the help of\r\nGetLogicalDrives API.\r\nMalware listing OS drives.\r\nThen, it uses GetDriveTypeW to check if the drive is either fixed or remote. If that’s the case, it starts the function\r\nthat will wipe the files.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 18 of 27\n\nMalware checking the drive type.\r\nWithin the function we named “mw_wipe_files”, it starts by listing all the files in the root path of the drive with\r\nFindFirstFileW.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 19 of 27\n\nMalware listing all the files in the current directory.\r\nIf the current object is a directory, the “mw_wipe_files” function is called recursively with the identified directory\r\nas a parameter. This is verified by calling the “_wstat” function and checking the st_mode bits.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 20 of 27\n\nMalware checking if the current object is a directory.\r\nWhisperGate does not wipe files in the Windows directory.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 21 of 27\n\nWhisperGate skipping Windows folder.\r\nThe last verification is related to the file’s extension, where the malware iterates over a list of targeted extensions\r\nand, if the file name matches, a function we named “mw_write_bytes_to_file” is called.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 22 of 27\n\nWhisperGate checking for targeted extensions.\r\nWhisperGate targets many files with extensions related to websites, such as “.html”, “.php”, “.asp”, “.jsp”, as well\r\nas common documents like “.doc”, “.xls”, “.ppt”, etc. A complete list of targeted extensions can be found in our\r\nGitHub repository.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 23 of 27\n\nWhisperGate’s targeted extensions.\r\nAnd finally, if the file matches the criteria, WhisperGate wipes the file by replacing its content with a sequence of\r\n0x100000 bytes of 0xCC.\r\nWhisperGate wiping system’s files.\r\nAlso, a random extension is appended to the file’s name.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 24 of 27\n\nFiles wiped by WhisperGate.\r\nOnce it’s over, WhisperGate deletes itself through a simple command line, where “%s” is the file path obtained\r\nwith GetModuleFileNameA.\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 25 of 27\n\nThis is the only behavior of WhisperGate’s last stage. Paying the ransom demanded would be fruitless because the\r\nMBR and files were simply overwritten, not encrypted like they would be by ransomware. \r\nConclusions\r\nWhisperGate is a multi-stage destructive malware that has emerged in the midst of the geopolitical conflict that is\r\nstill unfolding in Ukraine. Netskope Threat Labs is on the lookout for any malware that may appear with an\r\napparent political motivation, especially ones that may disrupt essential services, such as infrastructure. It’s also\r\ninteresting to see this threat using Discord to host one of the payloads, showing again the preference of cloud apps\r\nusage by cyber attackers. We echo CISA’s recommendations released in this note to implement cybersecurity\r\nmeasures for critical infrastructure.\r\nProtection\r\nNetskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat\r\nindicators and payloads. \r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 26 of 27\n\nNetskope Threat Protection\r\nWin32.Trojan.WhisperGate\r\nWin32.Network.WhisperGate\r\nByteCode-MSIL.Trojan.WhisperGate\r\nNetskope Advanced Threat Protection provides proactive coverage against this threat.\r\nGen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis\r\nGen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox\r\nIOCs\r\nA full list of IOCs and Yara rules can be found in our GitHub repository.\r\nSource: https://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nhttps://www.netskope.com/blog/netskope-threat-coverage-whispergate\r\nPage 27 of 27\n\n https://www.netskope.com/blog/netskope-threat-coverage-whispergate \nBinary information about WhisperGate’s second stage. \nOnce running, it downloads the third stage from a Discord server, named “Tbopbh.jpg”.\n Page 6 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.netskope.com/blog/netskope-threat-coverage-whispergate" ], "report_names": [ "netskope-threat-coverage-whispergate" ], "threat_actors": [ { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434621, "ts_updated_at": 1775792126, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63e4407cf11fd88b8035f436971383dd13e8c26b.pdf", "text": "https://archive.orkl.eu/63e4407cf11fd88b8035f436971383dd13e8c26b.txt", "img": "https://archive.orkl.eu/63e4407cf11fd88b8035f436971383dd13e8c26b.jpg" } }