{ "id": "9a83bf42-ea4a-4861-bf4e-1a16b0ae464d", "created_at": "2026-04-06T00:17:34.352169Z", "updated_at": "2026-04-10T03:37:09.06868Z", "deleted_at": null, "sha1_hash": "b243df96fc23cc468f1fb69f0a4077903bf456fb", "title": "TeleBots are back: Supply-chain attacks against Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 311231, "plain_text": "TeleBots are back: Supply-chain attacks against Ukraine\r\nBy Anton Cherepanov\r\nArchived: 2026-04-02 11:03:27 UTC\r\nThe latest Petya-like outbreak has gathered a lot of attention from the media. However, it should be noted that this\r\nwas not an isolated incident: this is the latest in a series of similar attacks in Ukraine. This blogpost reveals many\r\ndetails about the Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya) outbreak and related information about\r\npreviously unpublished attacks.\r\nFigure 1 - The timeline of supply-chain attacks in Ukraine.\r\nTeleBots\r\nIn December 2016 we published two detailed blogposts about disruptive attacks conducted by the group ESET\r\nresearchers call TeleBots, specifically about attacks against financial institutions and a Linux version of the\r\nKillDisk malware used by this group. The group mounted cyberattacks against various computer systems in\r\nUkraine; systems that can be defined as critical infrastructure. Moreover, this group has connections with the\r\ninfamous BlackEnergy group that was responsible for the December 2015 power outages in Ukraine.\r\nIn the final stage of its attacks, the TeleBots group always used the KillDisk malware to overwrite files with\r\nspecific file extensions on the victims’ disks. Putting the cart before the horse: collecting ransom money was never\r\nthe top priority for the TeleBots group. The KillDisk malware used in the first wave of December 2016 attacks,\r\ninstead of encrypting, simply overwrites targeted files. Further, it did not provide contact information for\r\ncommunicating with the attacker; it just displayed an image from the Mr. Robot TV show.\r\nhttps://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/\r\nPage 1 of 11\n\nFigure 2 – The picture displayed by KillDisk malware in the first wave of December 2016 attacks.\r\nIn the second wave of attacks, the cybersaboteurs behind the KillDisk malware added contact information to the\r\nmalware, so it would look like a typical ransomware attack. However, the attackers asked for an extraordinary\r\nnumber of bitcoins: 222 BTC (about $250,000 at that time). This might indicate that they were not interested in\r\nbitcoins, but their actual aim was to cause damage to attacked companies.\r\nFigure 3 - The ransom demand displayed by KillDisk in the second wave of December 2016 attacks.\r\nIn 2017, the TeleBots group didn’t stop their cyberattacks; in fact, they became more sophisticated. In the period\r\nbetween January and March 2017 the TeleBots attackers compromised a software company in Ukraine (not related\r\nto M.E. Doc), and, using VPN tunnels from there, gained access to the internal networks of several financial\r\ninstitutions.\r\nhttps://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/\r\nPage 2 of 11\n\nDuring that attack, those behind TeleBots enhanced their arsenal with two pieces of ransomware and updated\r\nversions of tools mentioned in the previously-linked blogposts.\r\nThe first backdoor that the TeleBots group relied heavily on was Python/TeleBot.A, which was rewritten from\r\nPython in the Rust programming language. The functionality remains the same: it is a standard backdoor that uses\r\nthe Telegram Bot API in order to receive commands from, and send responses to, the malware operator.\r\nFigure 4 - Disassembled code of the Win32/TeleBot.AB trojan.\r\nThe second backdoor, which was written in VBS and packaged using the script2exe program, was heavily\r\nobfuscated but the functionality remained the same as in previous attacks.\r\nFigure 5 - The obfuscated version of the VBS backdoor.\r\nThis time the VBS backdoor used the C\u0026C server at 130.185.250[.]171. To make connections less suspicious for\r\nthose who check firewall logs, the attackers registered the domain transfinance.com[.]ua and hosted it on that IP\r\naddress. As is evident from Figure 6 this server was also running the Tor relay named severalwdadwajunior.\r\nhttps://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/\r\nPage 3 of 11\n\nFigure 6 - Information about Tor relay run by the TeleBots group.\r\nIn addition, the attacker used the following tools:\r\nCredRaptor (password stealer)\r\nPlainpwd (modified Mimikatz used for recovering Windows credentials from memory)\r\nSysInternals’ PsExec (used for lateral movement)\r\nAs mentioned above, in the final stage of their attacks, the TeleBots attackers pushed ransomware using stolen\r\nWindows credentials and SysInternals’ PsExec. This new ransomware was detected by ESET products as\r\nWin32/Filecoder.NKH. Once executed, this ransomware encrypts all files (except files located in the C:\\Windows\r\ndirectory) using AES-128 and RSA-1024 algorithms. The malware adds the .xcrypted file extension to already-encrypted files.\r\nWhen encryption is done, this filecoder malware creates a text file !readme.txt with the following content:\r\nPlease contact us: openy0urm1nd@protonmail.ch\r\nIn addition to Windows malware, the TeleBots group used Linux ransomware on non-Windows servers. This\r\nransomware is detected by ESET products as Python/Filecoder.R and, predictably, it is written in the Python\r\nprogramming language. This time attackers execute third-party utilities such as openssl in order to encrypt files.\r\nThe encryption is done using the RSA-2048 and AES-256 algorithms.\r\nhttps://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/\r\nPage 4 of 11\n\nFigure 7 - Python code of Linux ransomware Python/Filecoder.R used by the TeleBots group.\r\nIn the code of Python script, attackers left their comment which had following text:\r\nfeedback: openy0urm1nd[@]protonmail.ch\r\nWin32/Filecoder.AESNI.C\r\nOn 18 May 2017, we noticed new activity on the part of another ransomware family Win32/Filecoder.AESNI.C\r\n(also referred to as XData).\r\nThis ransomware was spread mostly in Ukraine, because of an interesting initial vector. According to our\r\nLiveGrid® telemetry, the malware was created right after execution of the M.E.Doc software that is widely used\r\nby accounting personnel in Ukraine.\r\nThe Win32/Filecoder.AESNI.C ransomware had a spreading mechanism that allowed it to perform lateral\r\nmovement automatically, inside a compromised company LAN. Specifically, the malware had an embedded\r\nMimikatz DLL that it used to extract Windows account credentials from the memory of a compromised PC. With\r\nthese credentials, the malware started to spread inside its host network using SysInternals’ PsExec utility.\r\nIt seems that the attackers either did not reach their goal on that occasion, or it was the test before a more effective\r\nstrike. The attackers posted master decryption keys on the BleepingComputer forum, along with the assertion that\r\nthis was done because the original author claimed that the source was stolen and used in the Ukraine incident.\r\nESET published a decryption tool for Win32/Filecoder.AESNI ransomware, and this event didn’t gain much\r\nmedia attention.\r\nDiskcoder.C (aka Petya-like) outbreak\r\nhttps://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/\r\nPage 5 of 11\n\nWhat did gain a lot of media attention, however, was the Petya-like outbreak of 27 June, 2017, because it\r\nsuccessfully compromised a lot of systems in critical infrastructure and other businesses in Ukraine, and further\r\nafield.\r\nThe malware in this attack has the ability to replace the Master Boot Record (MBR) with its own malicious code.\r\nThis code was borrowed from Win32/Diskcoder.Petya ransomware. That’s why some other malware researchers\r\nhave named this threat as ExPetr, PetrWrap, Petya, or NotPetya. However, unlike the original Petya ransomware,\r\nDiskcoder.C's authors modified the MBR code in such a way that recovery won’t be possible. Specifically, the\r\nattacker cannot provide a decryption key and the decryption key cannot be typed in the ransom screen, because the\r\ngenerated key contains non-acceptable characters.\r\nVisually this MBR part of Diskcoder.C looks like a slightly modified version of Petya: at first it displays a\r\nmessage that impersonates CHKDSK, Microsoft's disk checking utility. During the faux CHKDISK scan\r\nDiskcoder.C actually encrypts the data.\r\nFigure 8 - Fake CHKDSK message displayed by Diskcoder.C.\r\nWhen encryption is complete, the MBR code displays the next message with payment instructions, but as noted\r\nbefore this information is useless.\r\nhttps://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/\r\nPage 6 of 11\n\nFigure 9 - Diskcoder.C message with payment instructions.\r\nThe remainder of the code, other than the borrowed MBR, was implemented by the authors themselves. This\r\nincludes file encryption that can be used as a complement to the disk-encrypting MBR. For file encryption, the\r\nmalware uses the AES-128 and RSA-2048 algorithms. It should be noted that the authors made mistakes that\r\nmake decryption of files less possible. Specifically, the malware encrypts only the first 1MB of data and it does\r\nnot write any header or footer, only raw encrypted data and does not rename encrypted files, so it’s hard to say\r\nwhich files are encrypted and which are not. In addition to that, files that are larger than 1MB after encryption do\r\nnot contain padding, so there is no way to verify the key.\r\nInterestingly, the list of target file extensions is not identical but is very similar to the file extensions list from the\r\nKillDisk malware used in the December 2016 attacks.\r\nFigure 10 - List of target file extensions from Diskcoder.C.\r\nOnce the malware is executed it attempts to spread using the infamous EternalBlue exploit, leveraging the\r\nDoublePulsar kernel-mode backdoor. Exactly the same method was used in the WannaCryptor.D ransomware.\r\nDiskcoder.C also adopted the method from the Win32/Filecoder.AESNI.C (aka XData) ransomware: it uses a\r\nlightweight version of Mimikatz to obtain credentials and then executes the malware using SysInternals’ PsExec\r\nhttps://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/\r\nPage 7 of 11\n\non other machines on the LAN. In addition to that, the attackers implemented a third method of spreading using a\r\nWMI mechanism.\r\nAll three of these methods have been used to spread malware inside LANs. Unlike the infamous WannaCryptor\r\nmalware, the EternalBlue exploit is used by Diskcoder.C only against computers within the local network address\r\nspace.\r\nWhy are there infections in other countries than Ukraine? Our investigation revealed that affected companies in\r\nother countries had VPN connections to their branches, or to business partners, in Ukraine.\r\nInitial infection vector\r\nBoth Diskcoder.C and Win32/Filecoder.AESNI.C used a supply-chain attack as the initial infection vector. These\r\nmalware families were spread using Ukrainian accounting software called M.E.Doc.\r\nThere are several options for how this attack can be implemented. The M.E.Doc has an internal messaging and\r\ndocument exchange system so attackers could send spearphishing messages to victims. User interaction is\r\nrequired in order to execute something malicious in this way. Thus, social engineering techniques would be\r\ninvolved. Since Win32/Filecoder.AESNI.C didn’t spread so widely, we mistakenly assumed that these techniques\r\nwere used in this case.\r\nHowever, the subsequent Diskcoder.C outbreak suggests that the attackers had access to the update server of the\r\nlegitimate software. Using access to this server, attackers pushed a malicious update that was applied\r\nautomatically without user interaction. That’s why so many systems in Ukraine were affected by this attack.\r\nHowever, it seems like the malware authors underestimated the spreading capabilities of Diskcoder.C.\r\nESET researchers found evidence that supports this theory. Specifically, we identified a malicious PHP backdoor\r\nthat was deployed under medoc_online.php in one of the FTP directories on M.E.Doc's server. This backdoor was\r\naccessible from HTTP; however, it was encrypted, so the attacker would have to have the password in order to use\r\nit.\r\nFigure 11 - Listing of FTP directory containing the PHP backdoor.\r\nWe should say that there are signs that suggest that Diskcoder.C and Win32/Filecoder.AESNI.C were not the only\r\nmalware families that were deployed using that infection vector. We can speculate that these malicious updates\r\nwere deployed in a stealthy way to computer networks that belong to high-value targets.\r\nhttps://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/\r\nPage 8 of 11\n\nOne such malware that was deployed via this possible compromised M.E.Doc update server mechanism was the\r\nVBS backdoor used by the TeleBots group. This time the attacker again used a financially-themed domain name:\r\nbankstat.kiev[.]ua.\r\nOn the day of the Diskcoder.C outbreak, the A-record of this domain was changed to 10.0.0.1\r\nConclusions\r\nThe TeleBots group continues to evolve in order to conduct disruptive attacks against Ukraine. Instead of\r\nspearphishing emails with documents containing malicious macros, they used a more sophisticated scheme known\r\nas a supply-chain attack. Prior to the outbreak, the Telebots group targeted mainly the financial sector. The latest\r\noutbreak was directed against businesses in Ukraine, but they apparently underestimated the malware’ spreading\r\ncapabilities. That’s why the malware went out of control.\r\nIndicators of Compromise (IoC)\r\nESET detection names:\r\nWin32/TeleBot trojan\r\nVBS/Agent.BB trojan\r\nVBS/Agent.BD trojan\r\nVBS/Agent.BE trojan\r\nWin32/PSW.Agent.ODE trojan\r\nWin64/PSW.Agent.K trojan\r\nPython/Filecoder.R trojan\r\nWin32/Filecoder.AESNI.C trojan\r\nWin32/Filecoder.NKH trojan\r\nWin32/Diskcoder.C trojan\r\nWin64/Riskware.Mimikatz application\r\nWin32/RiskWare.Mimikatz application\r\nC\u0026C servers:\r\ntransfinance.com[.]ua (IP: 130.185.250.171)\r\nbankstat.kiev[.]ua (IP: 82.221.128.27)\r\nwww.capital-investing.com[.]ua (IP: 82.221.131.52)\r\nLegitimate servers abused by malware authors:\r\napi.telegram.org (IP: 149.154.167.200, 149.154.167.197, 149.154.167.198, 149.154.167.199)\r\nVBS backdoor:\r\n1557E59985FAAB8EE3630641378D232541A8F6F9\r\n31098779CE95235FED873FF32BB547FFF02AC2F5\r\nCF7B558726527551CDD94D71F7F21E2757ECD109\r\nhttps://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/\r\nPage 9 of 11\n\nMimikatz:\r\n91D955D6AC6264FBD4324DB2202F68D097DEB241\r\nDCF47141069AECF6291746D4CDF10A6482F2EE2B\r\n4CEA7E552C82FA986A8D99F9DF0EA04802C5AB5D\r\n4134AE8F447659B465B294C131842009173A786B\r\n698474A332580464D04162E6A75B89DE030AA768\r\n00141A5F0B269CE182B7C4AC06C10DEA93C91664\r\n271023936A084F52FEC50130755A41CD17D6B3B1\r\nD7FB7927E19E483CD0F58A8AD4277686B2669831\r\n56C03D8E43F50568741704AEE482704A4F5005AD\r\n38E2855E11E353CEDF9A8A4F2F2747F1C5C07FCF\r\n4EAAC7CFBAADE00BB526E6B52C43A45AA13FD82B\r\nF4068E3528D7232CCC016975C89937B3C54AD0D1\r\nWin32/TeleBot:\r\nA4F2FF043693828A46321CCB11C5513F73444E34\r\n5251EDD77D46511100FEF7EBAE10F633C1C5FC53\r\n8D379585E0A9DB4C65450622CED26C108DC694AB\r\nWin32/PSW.Agent.ODE (CredRaptor):\r\n759DCDDDA26CF2CC61628611CF14CFABE4C27423\r\n77C1C31AD4B9EBF5DB77CC8B9FE9782350294D70\r\nEAEDC201D83328AF6A77AF3B1E7C4CAC65C05A88\r\nEE275908790F63AFCD58E6963DC255A54FD7512A\r\nEE9DC32621F52EDC857394E4F509C7D2559DA26B\r\nFC68089D1A7DFB2EB4644576810068F7F451D5AA\r\nWin32/Filecoder.NKH:\r\n1C69F2F7DEE471B1369BF2036B94FDC8E4EDA03E\r\nPython/Filecoder.R:\r\nAF07AB5950D35424B1ECCC3DD0EEBC05AE7DDB5E\r\nWin32/Filecoder.AESNI.C:\r\nBDD2ECF290406B8A09EB01016C7658A283C407C3\r\n9C694094BCBEB6E87CD8DD03B80B48AC1041ADC9\r\nD2C8D76B1B97AE4CB57D0D8BE739586F82043DBD\r\nWin32/Diskcoder.C:\r\n34F917AABA5684FBE56D3C57D48EF2A1AA7CF06D\r\nhttps://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/\r\nPage 10 of 11\n\nPHP shell:\r\nD297281C2BF03CE2DE2359F0CE68F16317BF0A86\r\nSource: https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/\r\nhttps://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/" ], "report_names": [ "telebots-back-supply-chain-attacks-against-ukraine" ], "threat_actors": [ { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434654, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b243df96fc23cc468f1fb69f0a4077903bf456fb.pdf", "text": "https://archive.orkl.eu/b243df96fc23cc468f1fb69f0a4077903bf456fb.txt", "img": "https://archive.orkl.eu/b243df96fc23cc468f1fb69f0a4077903bf456fb.jpg" } }