{
	"id": "894a164f-d245-42df-8d3a-0a9752a1e187",
	"created_at": "2026-04-06T00:18:16.879642Z",
	"updated_at": "2026-04-10T13:12:22.136752Z",
	"deleted_at": null,
	"sha1_hash": "db8b729d58ba58c4c878281f5c374f469bfa43f1",
	"title": "The Ukrainian Government Cyberattack – What You Need to Know | Deep Instinct",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4127013,
	"plain_text": "The Ukrainian Government Cyberattack – What You Need to\r\nKnow | Deep Instinct\r\nBy Simon KeninThreat Intelligence Researcher\r\nPublished: 2022-01-26 · Archived: 2026-04-05 21:35:11 UTC\r\nOverview\r\nOn the evening of January 13, several Ukrainian government websites, including the Ministry of Foreign Affairs,\r\nwere hacked in a coordinated effort. Provocative messages were posted on the main page of these sites in three\r\nlanguages: Ukrainian, Russian, and Polish.\r\nIn parallel, some Ukranian Government infrastructure was attacked by a wiper malware. The Ukranian National\r\nCoordination Center for Cybersecurity named this attack “Operation Bleeding Bear.” This is not the first time\r\nUkraine faces a disk wiping attack; they also suffered from BlackEnergy in 2015, Industroyer in 2016 and\r\nNotPetya in 2017.\r\nOn January 15, Microsoft shared their initial findings regarding the wiper attack, providing indicators for stage1\r\nand stage2 malware that was used in the attack.\r\nMicrosoft mentioned that the attackers launched the stage1 malware via Impacket, revealing that the attackers had\r\nprior access to the network and deployed various hacking tools to move laterally inside the environment.\r\nImpacket is a collection of open-source Python classes for working with network protocols. Some classes allow\r\nremote code execution if a valid username and password is supplied to the computer that will be executing the\r\ncommand.\r\nFollowing is a detailed look at how this attack unfolded:\r\nStage1 (a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92)\r\nStage1 is the MBR wiper malware. MBR stands for Master Boot Record, the first sector of the hard disk. It is\r\nworth noting that most modern computers use GPT instead of MBR.\r\nThe executable is compiled using MingW GCC:\r\nhttps://www.deepinstinct.com/blog/the-ukrainian-government-cyberattack-what-you-need-to-know\r\nPage 1 of 10\n\nFigure 1: Stage1 compiler information\r\nThe malware achieved “wiping” of the MBR by simply creating a handle to “PhysicalDrive0” and overwriting the\r\ncontents of the MBR, thus making the original OS unbootable.\r\n“PhysicalDrive0” maps to the first sector of the first physical drive attached to the computer. As mentioned above,\r\nthis is where the MBR resides.\r\nFigure 2: Code snippet responsible to MBR overwrite\r\nThe malware overwrites the MBR with the contents of “data_404020” variable.\r\nhttps://www.deepinstinct.com/blog/the-ukrainian-government-cyberattack-what-you-need-to-know\r\nPage 2 of 10\n\nFigure 3: Highlighted code showing what will be written to the MBR\r\n“data 404020” contains the ransom note that will be shown when the computer boots with the overwritten MBR.\r\nFigure 4: The actual data that will be written to the MBR\r\nStage2 (dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78)\r\nThis is an obfuscated .NET executable. According to information found in several tweets from InfoSec experts,\r\nthis is a generic downloader used by different e-crime campaigns.\r\nThis specific sample downloads a file with a .jpg extension from Discord, a popular chat app that allows users to\r\nsend files. Discord is known to be abused to distribute malicious files.\r\nhttps://www.deepinstinct.com/blog/the-ukrainian-government-cyberattack-what-you-need-to-know\r\nPage 3 of 10\n\nFigure 5: Download URL from Discord\r\nThe downloaded file (923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6) is, in fact,\r\nnot a .jpg image file at all. If we open the file in hex editor, we will see that the entire file is mirrored.\r\nFigure 6: End of the downloaded file in hex editor\r\nWe can see the file ends with ZM, which is the MZ header of an executable file; this header should be in the\r\nbeginning.\r\nThe malware has the “InsertItem” function which serves to “reverse” the contents of the downloaded file:\r\nFigure 7: InsertItem function code\r\nAfter reversing the content, we will have the actual stage3 payload.\r\nFinally, stage2 will reflectively load stage3:\r\nhttps://www.deepinstinct.com/blog/the-ukrainian-government-cyberattack-what-you-need-to-know\r\nPage 4 of 10\n\nFigure 8: Calling method “Ylfwdwgmpilzyaph” from stage3\r\nStage3 (9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d)\r\nThis is yet another obfuscated .NET file. This time a DLL; the file is obfuscated using “Eazfuscator.”\r\nAs mentioned, stage2 calls a method named “Ylfwdwgmpilzyaph” from this DLL.\r\nFigure 9: “Ylfwdwgmpilzyaph” code\r\nThe file contains three resources.\r\nFigure 10: Code that loads resource “7c8cb5598e724d34384cce7402b11f0e”\r\nhttps://www.deepinstinct.com/blog/the-ukrainian-government-cyberattack-what-you-need-to-know\r\nPage 5 of 10\n\nUsing “EazFixer” we were able to receive the decoded DLL file\r\n(35feefe6bd2b982cb1a5d4c1d094e8665c51752d0a6f7e3cae546d770c280f3a)\r\nThe decoded DLL contains two resources.\r\nFigure 11: Resources in decoded DLL\r\nThe “AdvancedRun” resource is a gzip archive containing “AdvancedRun.exe,” a legitimate application which is\r\nused by system administrators.\r\nFigure 12: Official AdvancedRun usage examples\r\nIn this case, it is abused to stop and delete Windows Defender.\r\nThe “Waqybg” resource is a “reversed” gzip archive (the same method as used in the .jpg downloaded from\r\ndiscord) containing the final stage, a file corrupting malware.\r\nStage4 (34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907)\r\nThis file is also compiled using MingW GCC, the same as the stage1 payload:\r\nhttps://www.deepinstinct.com/blog/the-ukrainian-government-cyberattack-what-you-need-to-know\r\nPage 6 of 10\n\nFigure 13: Stage4 compiler information\r\nThe malware is looking for specific extensions on all hard drives and partially overwritten files with these specific\r\nextensions.\r\n.HTML .HTM .PHTML .PHP .JSP .ASP .PHPS .PHP5 .ASPX .PHP4 .PHP3 .DOC .DOCX .XLS .XLSX .PPT\r\n.PPTX .PST .MSG .EML .TXT .CSV .RTF .WKS .WK1 .PDF .DWG .JPEG .JPG .DOCM .DOT .DOTM .XLSM\r\n.XLSB .XLW .XLT .XLM .XLC .XLTX .XLTM .PPTM .POT .PPS .PPSM .PPSX .HWP .SXI .STI .SLDX\r\n.SLDM .BMP .PNG .GIF .RAW .TIF .TIFF .PSD .SVG .CLASS .JAR .SCH .VBS .BAT .CMD .ASM .PAS .CPP\r\n.SXM .STD .SXD .ODP .WB2 .SLK .DIF .STC .SXC .ODS .3DM .MAX .3DS .STW .SXW .ODT .PEM .P12\r\n.CSR .CRT .KEY .PFX .DER .OGG .JAVA .INC .INI .PPK .LOG .VDI .VMDK .VHD .MDF .MYI .MYD .FRM\r\n.SAV .ODB .DBF .MDB .ACCDB .SQL .SQLITEDB .SQLITE3 .LDF .ARC .BAK .TAR .TGZ .RAR .ZIP\r\n.BACKUP .ISO .CONFIG\r\nFigure 14: Delete command and partial extension list\r\nIt next renames the corrupted file’s extension to a random one. When finished, the malware deletes itself by\r\ncalling cmd.exe and sleeping for 5 seconds by issuing a ping command.\r\nFinally, it logs off the current user and shuts down the computer with status code 14 (network connectivity):\r\nhttps://www.deepinstinct.com/blog/the-ukrainian-government-cyberattack-what-you-need-to-know\r\nPage 7 of 10\n\nFigure 15: Exit routine\r\nConclusions\r\nStage1 malware is written in C and is used to corrupt the MBR, causing the computer’s operating system to not\r\nload; the files on the disk are still intact and can be recovered.\r\nStage2 malware is used to load stage3 malware, both of which are written in .NET. Similar loaders have been\r\nobserved, and those are believed to be generic and not unique to this threat actor.\r\nStage3 malware loads stage4, which is also written in C, same as stage1 malware.\r\nStage4 malware is used to corrupt important files on the hard disks.\r\nIn case stage1 or stage4 doesn’t execute properly, partial recovery might be possible, but the successful\r\ncombination of the two will lead to almost certain corruption of all important data without any recovery option.\r\nAdditionally, the ransom note is fake as the malware is not encrypting the files, it is simply destroying them.\r\nDeep Instinct vs. The Threat Actor\r\nWe have tested a random Impacket wmiexec binary against the Deep Instinct Prevention Platform and it was\r\nblocked:\r\nFigure 16: wmiexec being blocked\r\nhttps://www.deepinstinct.com/blog/the-ukrainian-government-cyberattack-what-you-need-to-know\r\nPage 8 of 10\n\nWe have also tested the four malware samples and they were blocked:\r\nFigure 17: stage1 is being blocked\r\nFigure 18: stage2 is being blocked\r\nFigure 19: stage3 is being blocked\r\nhttps://www.deepinstinct.com/blog/the-ukrainian-government-cyberattack-what-you-need-to-know\r\nPage 9 of 10\n\nFigure 20: stage4 is being blocked\r\nDeep Instinct customers are protected against various wiper malware as we mentioned in our previous blogs and\r\nreports. If you’d like to see the platform in action for yourself, we’d encourage you to request a demo.\r\nSource: https://www.deepinstinct.com/blog/the-ukrainian-government-cyberattack-what-you-need-to-know\r\nhttps://www.deepinstinct.com/blog/the-ukrainian-government-cyberattack-what-you-need-to-know\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.deepinstinct.com/blog/the-ukrainian-government-cyberattack-what-you-need-to-know"
	],
	"report_names": [
		"the-ukrainian-government-cyberattack-what-you-need-to-know"
	],
	"threat_actors": [
		{
			"id": "eecf54a2-2deb-41e5-9857-fed94a53f858",
			"created_at": "2023-01-06T13:46:39.349959Z",
			"updated_at": "2026-04-10T02:00:03.296196Z",
			"deleted_at": null,
			"main_name": "SaintBear",
			"aliases": [
				"Bleeding Bear",
				"Cadet Blizzard",
				"Nascent Ursa",
				"Nodaria",
				"Storm-0587",
				"DEV-0587",
				"Saint Bear",
				"EMBER BEAR",
				"UNC2589",
				"TA471",
				"UAC-0056",
				"FROZENVISTA",
				"Lorec53",
				"Lorec Bear"
			],
			"source_name": "MISPGALAXY:SaintBear",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c28760b2-5ec6-42ad-852f-be00372a7ce4",
			"created_at": "2022-10-27T08:27:13.172734Z",
			"updated_at": "2026-04-10T02:00:05.279557Z",
			"deleted_at": null,
			"main_name": "Ember Bear",
			"aliases": [
				"Ember Bear",
				"UNC2589",
				"Bleeding Bear",
				"DEV-0586",
				"Cadet Blizzard",
				"Frozenvista",
				"UAC-0056"
			],
			"source_name": "MITRE:Ember Bear",
			"tools": [
				"P.A.S. Webshell",
				"CrackMapExec",
				"ngrok",
				"reGeorg",
				"WhisperGate",
				"Saint Bot",
				"PsExec",
				"Rclone",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "025b7171-98f8-4391-adc2-66333629c715",
			"created_at": "2023-06-23T02:04:34.120175Z",
			"updated_at": "2026-04-10T02:00:04.599019Z",
			"deleted_at": null,
			"main_name": "Cadet Blizzard",
			"aliases": [
				"DEV-0586",
				"Operation Bleeding Bear",
				"Ruinous Ursa"
			],
			"source_name": "ETDA:Cadet Blizzard",
			"tools": [
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"P0wnyshell",
				"PAYWIPE",
				"Ponyshell",
				"Pownyshell",
				"WhisperGate",
				"WhisperKill",
				"netcat",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434696,
	"ts_updated_at": 1775826742,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db8b729d58ba58c4c878281f5c374f469bfa43f1.pdf",
		"text": "https://archive.orkl.eu/db8b729d58ba58c4c878281f5c374f469bfa43f1.txt",
		"img": "https://archive.orkl.eu/db8b729d58ba58c4c878281f5c374f469bfa43f1.jpg"
	}
}