{ "id": "a03a2551-c382-4e67-bbe7-80eabe1fb9ba", "created_at": "2026-04-06T03:36:29.372176Z", "updated_at": "2026-04-10T03:35:26.320497Z", "deleted_at": null, "sha1_hash": "ea311a42f997f7380d2eee3321fcbdec496e66af", "title": "WhisperGate Malware Corrupts Computers in Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 650583, "plain_text": "WhisperGate Malware Corrupts Computers in Ukraine\r\nBy INSIKT GROUP\r\nArchived: 2026-04-06 03:33:10 UTC\r\nPUBLISHED ON 28 JAN 2022\r\nINSIKT GROUP\r\nundefined\r\nThis report is a technical overview of the WhisperGate malware reported by Microsoft Threat Intelligence on\r\nJanuary 15, 2022. It is intended for those looking for a high-level overview of the malware’s TTPs and\r\nmitigations.\r\nExecutive Summary\r\nWhisperGate is a new malware family being used in an ongoing operation targeting multiple industries in\r\nUkraine, including government, non-profit, and information technology organizations. The malware is a 3-stage\r\nmaster boot record (MBR) wiper designed to destroy a victim’s MBR and corrupt files on attached storage\r\ndevices. Each stage of the malware has a discrete task: stage 1 overwrites the MBR with a ransom note and code\r\nto overwrite sections on each drive found, stage 2 downloads and executes stage 3, which is hosted on Discord’s\r\nCDN as a JPG attachment, and stage 3 corrupts any file that matches a list of 191 file extensions. The developers\r\nof the malware use obfuscation, particularly in stage 3, to evade detection and analysis. WhisperGate wipes and\r\ncorrupts a Windows system to the point where files and drives are no longer recoverable or usable. Details around\r\nthe motive for WhisperGate and the threat actor behind the attacks are still emerging. These attacks take place in\r\nthe context of an escalating risk of a Russian invasion of Ukraine and the Ukrainian government website\r\ndefacements that occurred on January 14, 2022.\r\nKey Judgments\r\nAs of this writing, the threat actor group deploying WhisperGate has not been attributed to any known\r\nthreat groups, but other researchers suspect the group is state sponsored.\r\nThe same precautions taken against ransomware with respect to data backups should be applied to mitigate\r\nthe effects of WhisperGate’s data destruction capabilities.\r\nWhisperGate malware has not been observed in use as part of any other attacks outside of Ukraine,\r\nindicating it may have been developed specifically for this operation.\r\nBackground\r\nhttps://www.recordedfuture.com/research/whispergate-malware-corrupts-computers-ukraine\r\nPage 1 of 7\n\nOn January 15, 2022, Microsoft reported a destructive malware operation targeting multiple organizations in\r\nUkraine. This activity has not been attributed to any existing threat actor group and is therefore being tracked\r\nusing Microsoft's DEV-#### naming convention, which is used to track unknown emerging clusters of threat\r\nactivity. This group has been given the designation DEV-0586 until it is eventually converted to a named actor or\r\nmerged with an existing actor. Microsoft started seeing this malicious activity on January 13, 2022, which led to\r\nthe investigation that uncovered a new malware family that is being tracked as WhisperGate.\r\nWhisperGate Technical Analysis\r\nThe WhisperGate malware has 3 stages, detailed below in Figure 1. All 3 stages must be executed prior to the\r\nmachine rebooting for maximum effect. Stage 1 corrupts the MBR of the victim’s boot disk and upon reboot will\r\ncorrupt other drives on the system. Stage 2 downloads stage 3, which is used to corrupt files on attached file\r\nsystems and network drives. File damage will occur if even just one of either stage 1 or stage 2 executes\r\nsuccessfully. In testing, we found that GUID Partition Table (GPT) disks are not irreparably destroyed by\r\nWhisperGate’s stage 1 malware and therefore are partially immune to that stage of the malware. We speculate that\r\nthe inclusion of stage 2 and 3 may be a way to ensure that victims using GPT-style boot disks are affected by the\r\nmalware too. However, stage 3 also targets remote network drives, which would cause further damage regardless\r\nof the partitioning scheme used by the victim’s boot disk.\r\nFigure 1: Stages of WhisperGate malware (Source: Recorded Future)\r\nStage 1: Overwrite Master Boot Record (MBR)\r\nStage 1 is compiled using the Minimalist GNU for Windows (MinGW) development environment, which supports\r\nGNU Compiler Collection (GCC) 6.3.0 on Windows. The binary’s primary objective is to overwrite the MBR of\r\n“\\\\.\\PhysicalDrive0” with a custom MBR whose effect won’t be seen until the machine reboots. At startup, the\r\ncomputer’s BIOS determines the disk order to use when looking for the MBR. Overwriting the MBR on\r\nhttps://www.recordedfuture.com/research/whispergate-malware-corrupts-computers-ukraine\r\nPage 2 of 7\n\nPhysicalDrive0 is making an assumption that that disk is the first one in line to be checked by the BIOS, which is\r\nnormally a reasonable assumption. Once the machine reboots and the custom MBR code executes, the user is\r\npresented with the ransom note displayed in Figure 2.\r\nFigure 2: Ransom note displayed after stage 1 of WhisperGate is executed (Source: Recorded Future)\r\nAfter displaying the ransom note, the MBR code overwrites sections of each drive, on 199-byte intervals, with the\r\ncontents shown in Figure 3. The content written to each drive differs at the sixth byte, incrementing sequentially\r\nfrom 0x00.\r\nFigure 3: Hex view of the contents that are written to disk (Source: Recorded Future)\r\nThe MBR code writes the content multiple times to each drive by making extended write function calls via\r\ninterrupt 0x13, as shown in Figure 4.\r\nhttps://www.recordedfuture.com/research/whispergate-malware-corrupts-computers-ukraine\r\nPage 3 of 7\n\nFigure 4: MBR instructions that enumerate the drives and overwrite sections on each disk found (Source:\r\nRecorded Future)\r\nIn the event that a victim is using GPT-style partition tables on their boot disk, then stage 1 will not be effective.\r\nUpon reboot, Windows will not be able to boot; however, WhisperGate’s MBR code, which corrupts the disk\r\ndrives, will not run. Since GPT disks maintain a backup copy of the GPT table at the end of a disk, victims can\r\nrestore the GPT table by running a live Linux distribution and using the gdisk utility’s recovery command like\r\nshown in Figure 5.\r\nFigure 5: Restoring the corrupted GPT table with the gdisk recovery command (Source: Recorded Future)\r\nStage 2: Downloader\r\nStage 2 is written in .NET, and its primary functionality is to download the third stage of the malware and execute\r\nit. It begins execution after 20 seconds, using the PowerShell command “_powershell -enc\r\nUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==_”, which decodes to “_Start-Sleep\r\nhttps://www.recordedfuture.com/research/whispergate-malware-corrupts-computers-ukraine\r\nPage 4 of 7\n\n-s 10_”. The 10-second delay is executed twice and is likely used to help the malware evade detection by AV\r\nengines. The malware retrieves the third stage from a Discord attachment hosted on\r\nhttps://cdn[.]discordapp[.]com, named Tbopbh.jpg. Stage 2 reverses the JPG file’s bytes, reflectively loads the\r\nJPG file as a .NET assembly, and then calls the exported function “_Ylfwdwgmpilzyaph_”.\r\nStage 3: File Corrupter\r\nStage 3 of the malware is written in .NET and obfuscated with eazfuscator. Upon execution, 2 embedded PE\r\nexecutable resources (AdvancedRun and Wagybg) are unpacked, decoded, and GZIP decompressed. Next, a .vbs\r\nscript is written to “%AppData%\\local\\Temp\\Nmddfrqqrbyjeygggda.vbs” and executed with Wscript.exe. The\r\nscript, shown in Figure 6, is used to exclude the entire C drive from being scanned by Windows Defender.\r\nFigure 6: Contents of “%AppData%\\local\\Temp\\Nmddfrqqrbyjeygggda.vbs” (Source: Recorded Future)\r\nAdvancedRun is then executed to stop the Windows Defender service and delete its program data folder.\r\nAdvancedRun is benign software developed by NirSoft and used to run programs under different settings. The\r\nauthor used AdvancedRun due to its ability to run programs with TrustedInstaller privileges, which are needed to\r\nexecute the command that disables Windows Defender. Figures 7 and 8 show the command line arguments used to\r\nrun AdvancedRun.exe. The use of the “_/RunAs 8_” argument instructs AdvancedRun to use the TrustedInstaller\r\nprivileges.\r\nFigure 7: “AdvancedRun.exe” stopping the Windows Defender service (Source: Recorded Future)\r\nFigure 8: “AdvancedRun.exe” recursively deleting Windows Defender’s program data (Source: Recorded Future)\r\nFinally, Wagybg is run via process hollowing in an InstallUtil.exe process. A similar technique was used to load\r\nthe Netwire trojan in 2019 as part of a phishing campaign. InstallUtil is a benign program produced by Microsoft\r\nand distributed as part of the .NET framework.\r\nThis stage of the malware is used to perform file corruption. It first gets a list of logical drives on the system by\r\ncalling GetLogicalDrives(), then identifies those that are fixed media or network drives. The malware searches\r\nthese drives for files ending in 1 of the 191 file extensions shown in Figure 9 below. It then corrupts matching files\r\nby overwriting the first 1 MiB of each file with 0xCC bytes.\r\nhttps://www.recordedfuture.com/research/whispergate-malware-corrupts-computers-ukraine\r\nPage 5 of 7\n\nFigure 9: Targeted file extensions (Source: Recorded Future)\r\nAfter it finishes corrupting files, the corrupter sends 5 ping requests to 111.111.111[.]111 and then deletes itself as\r\nshown in Figure 10. While it is unclear exactly why the malware makes the ping requests, we speculate that it\r\ncould be to add a time delay before deleting itself or to keep a record of infected hosts.\r\nFigure 10: Self-deletion function used by the file corrupter (Source: Recorded Future)\r\nMitigations\r\nWe recommend that organizations consider an offsite backup strategy to protect their data from the destruction\r\ncapabilities of the WhisperGate malware.\r\nNetwork segmentation can prevent attackers and malware from gaining access to other parts of an\r\norganization's network. This solution involves splitting the larger network into smaller network segments\r\nand can be accomplished through firewalls, virtual local area networks, and other separation techniques.\r\nConsider keeping sensitive client information on systems that are disconnected from the internet or\r\nsegmented from the rest of the corporate network. Since WhisperGate malware will tamper with files on a\r\nvictim system, moving highly sensitive customer data to a system with no internet access or access to the\r\nrest of the network will minimize the access WhisperGate malware would have to those files.\r\nConfigure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network\r\ndefense mechanisms in place to alert on — and, upon review, consider blocking connection attempts to and\r\nfrom — the external IP address mentioned.\r\nIf remote access solutions are crucial to daily operations, all such remote access services and protocols,\r\nsuch as Citrix and RDP, should be implemented with two-factor or multi-factor authentication.\r\nhttps://www.recordedfuture.com/research/whispergate-malware-corrupts-computers-ukraine\r\nPage 6 of 7\n\nMonitor for the creation of suspicious file modification activity, particularly large quantities of file\r\nmodifications in user directories.\r\nSet the Execution Policy for PowerShell to require that scripts be signed in order to be executed. This will\r\nonly be effective for scripts being run traditionally (for example by double-clicking) and will not protect\r\nagainst base64-encoded scripts executed on the command line as an argument to the PowerShell program\r\n(such as powershell.exe \u003ccommand\u003e).\r\nUse newer versions of PowerShell, such as version 5, which added some security-related improvements.\r\nAntiMalware Scan Interface (AMSI): This feature was introduced in Windows 10 and Windows Server\r\n2016 and provides “file and memory or stream scanning, content source URL/IP reputation checks, and\r\nother techniques” and can integrate with PowerShell, UAC, Windows Script Host, JavaScript, VBScript,\r\nand Office VBA Macros. Research into how AMSI can be bypassed indicates that the use of obfuscation\r\n(such as XOR or base64-encoding “banned” commands) or a simple execution bypass, among other more\r\nsophisticated methods such as memory patching, can be used to get around AMSI.\r\nEnsure logging of scripts and commands is enabled. These include: Module Logging (records pipeline\r\nexecution of PowerShell scripts, including some portions of the script, some deobfuscated code and some\r\ndata formatted for output), Script Block Logging (records execution, including full contents of scripts and\r\ncommands that are executed), and Transcription (creates a unique record of each PowerShell session,\r\nincluding input and output). While logging will not necessarily prevent malicious PowerShell from\r\nexecuting, it could help with understanding what kind of malicious behavior or indicators were involved.\r\nOutlook\r\nAs of this writing, it appears that DEV-0586 has only been using WhisperGate to target organizations in Ukraine.\r\nWe expect more information about this threat actor, including attribution, will be published over the next few days\r\nor weeks. Now that WhisperGate has been publicly reported and security professionals have been alerted to the\r\nmalware, it is possible that the developers of WhisperGate will alter the wiper to better evade detections.\r\nSource: https://www.recordedfuture.com/research/whispergate-malware-corrupts-computers-ukraine\r\nhttps://www.recordedfuture.com/research/whispergate-malware-corrupts-computers-ukraine\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.recordedfuture.com/research/whispergate-malware-corrupts-computers-ukraine" ], "report_names": [ "whispergate-malware-corrupts-computers-ukraine" ], "threat_actors": [ { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446589, "ts_updated_at": 1775792126, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ea311a42f997f7380d2eee3321fcbdec496e66af.pdf", "text": "https://archive.orkl.eu/ea311a42f997f7380d2eee3321fcbdec496e66af.txt", "img": "https://archive.orkl.eu/ea311a42f997f7380d2eee3321fcbdec496e66af.jpg" } }