{ "id": "3219c202-f4bc-4ac1-a272-b9f1c6cfbf12", "created_at": "2026-04-06T00:13:01.499211Z", "updated_at": "2026-04-10T13:11:42.025634Z", "deleted_at": null, "sha1_hash": "c11a7eb8197e58ca8cde8c183ff26e7e17c64abf", "title": "Analysis of Destructive Malware (WhisperGate) targeting Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1610713, "plain_text": "Analysis of Destructive Malware (WhisperGate) targeting Ukraine\r\nBy S2W\r\nPublished: 2022-01-19 · Archived: 2026-04-05 23:01:32 UTC\r\nExecutive Summary\r\n2022–01–15, MSTIC (Microsoft Threat Intelligence Center) identified and unveiled a cyberattack targeting\r\nUkrainian organizations with “WhisperGate” overwrites Master Boot Record(MBR) and files.\r\nAn actor who conducted this attack tracked as DEV-0586 and has not yet been attributed to existing g\r\nIt was confirmed that the actor uses a tool “Impacket” to perform lateral movement and malware\r\nexecution .\r\nKnown working paths: C:\\PerfLogs, C:\\ProgramData, C:\\, C:\\temp\r\nThe flow consisting of a total of three stages revealed so far is as follows.\r\nStage1: Overwrites the MBR and destroy all partitionsStage2: Downloads Stage3 through the discord lin\r\nThe malware sets used in this attack not only overwrites the MBR and create a ransom note but also\r\noverwrites files without any backups, so it seems that the purpose is data destruction, not financial gain.\r\nAs additional samples such as Stage3 are being shared among analysts on Twitter in addition to the two\r\nsamples currently released by MSTIC, the IoC, and analysis reports will be continuously updated.\r\nDetailed Analysis\r\nStage1\r\nSHA256: a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92\r\nCreation Time: 2022–01–10 10:37:18\r\nFirst Submission: 2022–01–16 20:30:19\r\nFile Type: Win32 EXE\r\nStage1 directly accesses the MBR(Master Boot Record) and overwrites with the 0x200 size data that is hard-coded inside. After that, when the PC is rebooted, the overwritten code is executed, and the code traverses all\r\ndrives on the disk and overwrites it with specific data at intervals of 199 LBAs.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\r\nPage 1 of 9\n\nOverwrites MBR\r\nThe overwritten code reads the ransom note string inside the MBR and sets it to appear on the display.\r\nPress enter or click to view image in full size\r\nWrites ransom note on the display\r\nAfter that, it traverses from the C drive and attempts to destroy it by overwriting it with fixed data as Extended\r\nWrite mode.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\r\nPage 2 of 9\n\nDrives wiper code\r\nDisk Address Packet(DAP) structure initialized when malicious code writes to disk\r\n(0x7C72) (offset 0 size 1) : size of packet (16 bytes)\r\n(0x7C73) (offset 1 size 1) : Reserved (always 0)\r\n(0x7C74) (offset 2 size 2) : number of sectors to transfer\r\n(0x7C76) (offset 4 size 4) : transfer buffer (segment:offset)\r\n(0x7C7A) (offset 8 size 4) : lower 32-bits of 48-bit starting LBA\r\n(0x7C7E) (offset 12 size 4) : upper 16-bits of 48-bit starting LBA\r\nWrite starts from LBA#1 of disk\r\nWhen disk access is successful, LBA is increased by 0xC7 (199) and written\r\nWhen disk access fails, increase the Drive Index and try to access the next disk\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\r\nPage 3 of 9\n\nOverwritten drives\r\nStage2\r\nSHA256: dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78\r\nCreation Time: 2022–01–10 14:39:54\r\nFirst Submission: 2022–01–16 20:31:26\r\nFile Type: Win32 EXE\r\nStage2 does not perform malicious actions for 20 seconds to bypass the AV (Anti Virus). To do this, run the\r\nfollowing command twice.\r\nCommand: powershell -enc\r\nUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==\r\n—\u003e Start-Sleep -s 10\r\nThen, it downloads an additional file disguised as a JPG extension from the discord link. The downloaded file is\r\nreversed and takes the form of PE, and executes “Ylfwdwgmpilzyaph” method in the file in the memory.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\r\nPage 4 of 9\n\nStage3 payload downloaded via Discord link\r\nURL:\r\nhttps[:]//cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nStage3 (Tbopbh.jpg)\r\nSHA256 : 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6\r\nTbopbh.jpg (Reversed)\r\nSHA256 : 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d\r\nCreation Time: 2022–01–10 14:39:31\r\nFirst Submission: 2022–01–16 21:29:58\r\nFile Type: Win32 DLL\r\nThe downloaded Stage3 is written in C# as in Stage2, and an obfuscation tool called Eazfuscator is detected by\r\nexeinfoPE.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\r\nPage 5 of 9\n\nDetected Eazfuscator\r\nThere are 3 resources inside Stage3, and except for the resource “78c855a088924e92a7f60d661c3d1845”, the use\r\nof the remaining 2 resources has not yet been confirmed, and the contents will be updated later.\r\nPress enter or click to view image in full size\r\n3 resources inside Stage3\r\nStage3 loads “78c855a088924e92a7f60d661c3d1845” resource inside and performs decoding by XOR operation.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\r\nPage 6 of 9\n\nXOR decoding code\r\nNext, the decoded data is a DLL file and contains two additional resources. The two resources “AdvancedRun”\r\nand “Waqybg”, are extracted by Stage3, and decompressed with GZIP.\r\nAdvancedRun (GZIP Decompressed)\r\nWaqybg (Reversed and GZIP Decompressed)\r\nPress enter or click to view image in full size\r\n2 resources in the decoded resource\r\nhttps://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\r\nPage 7 of 9\n\n1. AdvancedRun: Stop Windows Defender service\r\nExecute “%Temp%Nmddfrqqrbyjeygggda.vbs” to specify “C:\\” as the exception folder\r\nCommand: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” Set-MpPreference -\r\nExclusionPath ‘C:\\’\r\nStop Windows Defender service through AdvancedRun.exe and delete\r\n“C:\\ProgramData\\Microsoft\\Windows Defender” directory\r\nCommand: “C:\\Users\\Administrator\\AppData\\Local\\Temp\\AdvancedRun.exe” /EXEFilename\r\n“C:\\Windows\\System32\\sc.exe” /WindowState 0 /CommandLine “stop WinDefend” /StartDirectory “”\r\n/RunAs 8 /Run\r\nCommand: “C:\\Users\\Administrator\\AppData\\Local\\Temp\\AdvancedRun.exe” /EXEFilename\r\n“C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” /WindowState 0 /CommandLine\r\n“rmdir ‘C:\\ProgramData\\Microsoft\\Windows Defender’ -Recurse” /StartDirectory “” /RunAs 8 /Run\r\n2. Waqybg: Overwrites target files\r\nOverwrites the 0x100000(1MB) of the file with 0xCC\r\nExtension: Random number\r\nOverwrites files\r\nTarget file extensions (106)\r\n.HTML .HTM .PHTML .PHP .JSP .ASP .PHPS .PHP5 .ASPX .PHP4 .PHP3 .DOC .DOCX .XLS .XLSX .PPT .PPTX .PST\r\nExecutes ping command and delete itself\r\ncmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 \u003e Nul \u0026 Del /f /q \\”[Filepath]\\”\r\nAppendix\r\nRansom Note\r\nhttps://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\r\nPage 8 of 9\n\nYour hard drive has been corrupted.\r\nIn case you want to recover all hard drives\r\nof your organization,\r\nYou should pay us $10k via bitcoin wallet\r\n1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via\r\ntox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65\r\nwith your organization name.\r\nWe will contact you to give further instructions.\r\nRelated IoCs\r\na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 (Stage1)\r\ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 (Stage2)\r\n923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 (Stage3, Tbopbh.jpg)\r\n9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d (Stage3, Reversed\r\nTbopbh.jpg )\r\n35FEEFE6BD2B982CB1A5D4C1D094E8665C51752D0A6F7E3CAE546D770C280F3A (Decoded\r\nResource “78c855a088924e92a7f60d661c3d1845”)\r\n29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B(AdvancedRun.exe)\r\nDB5A204A34969F60FE4A653F51D64EEE024DBF018EDEA334E8B3DF780EDA846F\r\n(Nmddfrqqrbyjeygggda.vbs)\r\n34CA75A8C190F20B8A7596AFEB255F2228CB2467BD210B2637965B61AC7EA907 (File Wiper)\r\nURL:\r\nhttps[:]//cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg\r\nReference\r\nhttps://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\r\nSource: https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\r\nhttps://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3" ], "report_names": [ "analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3" ], "threat_actors": [ { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434381, "ts_updated_at": 1775826702, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c11a7eb8197e58ca8cde8c183ff26e7e17c64abf.pdf", "text": "https://archive.orkl.eu/c11a7eb8197e58ca8cde8c183ff26e7e17c64abf.txt", "img": "https://archive.orkl.eu/c11a7eb8197e58ca8cde8c183ff26e7e17c64abf.jpg" } }