{ "id": "ffb3eb9a-f6f7-40a5-b14d-0940568f4261", "created_at": "2026-04-06T00:13:29.246788Z", "updated_at": "2026-04-10T13:11:55.288998Z", "deleted_at": null, "sha1_hash": "f945b7a1e05e36603f3cfb1e3bc453e413aad79d", "title": "Destructive malware targeting Ukrainian organizations | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71281, "plain_text": "Destructive malware targeting Ukrainian organizations | Microsoft\r\nSecurity Blog\r\nBy Microsoft Digital Security Unit (DSU), Microsoft Incident Response, Microsoft Threat Intelligence\r\nPublished: 2022-01-16 · Archived: 2026-04-05 14:00:14 UTC\r\nJune 2023 update – For more information about Cadet Blizzard’s tooling, victimology, and motivation, read this\r\nblog: Cadet Blizzard emerges as a novel and distinct Russian threat actor | Microsoft Security Blog\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned\r\naround the theme of weather. DEV-0586 is now tracked as Cadet Blizzard.\r\nMicrosoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting\r\nmultiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022.\r\nMicrosoft is aware of the ongoing geopolitical events in Ukraine and surrounding region and encourages\r\norganizations to use the information in this post to proactively protect from any malicious activity.\r\nWhile our investigation is continuing, MSTIC has not found any notable associations between this observed\r\nactivity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware, which is\r\ndesigned to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and\r\ndesigned to render targeted devices inoperable rather than to obtain a ransom.\r\nAt present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of\r\nimpacted systems and that number could grow as our investigation continues. These systems span multiple\r\ngovernment, non-profit, and information technology organizations, all based in Ukraine. We do not know the\r\ncurrent stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or\r\nother geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as\r\nother organizations are reporting.\r\nGiven the scale of the observed intrusions, MSTIC is not able to assess intent of the identified destructive actions\r\nbut does believe these actions represent an elevated risk to any government agency, non-profit or enterprise located\r\nor with systems in Ukraine. We strongly encourage all organizations to immediately conduct a thorough\r\ninvestigation and to implement defenses using the information provided in this post. MSTIC will update this blog\r\nas we have additional information to share.\r\nAs with any observed nation-state actor activity, Microsoft directly and proactively notifies customers that have\r\nbeen targeted or compromised, providing them with the information they need to guide their investigations.\r\nMSTIC is also actively working with members of the global security community and other strategic partners to\r\nshare information that can address this evolving threat through multiple channels. Microsoft uses DEV-####\r\ndesignations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity,\r\nallowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or\r\nhttps://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\r\nPage 1 of 4\n\nidentity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor or merged\r\nwith existing actors.\r\nObserved actor activity\r\nOn January 13, Microsoft identified intrusion activity originating from Ukraine that appeared to be possible Master\r\nBoot Records (MBR) Wiper activity. During our investigation, we found a unique malware capability being used in\r\nintrusion attacks against multiple victim organizations in Ukraine.\r\nStage 1: Overwrite Master Boot Record to display a faked ransom note\r\nThe malware resides in various working directories, including C:\\PerfLogs, C:\\ProgramData, C:\\, and C:\\temp,\r\nand is often named stage1.exe. In the observed intrusions, the malware executes via Impacket, a publicly available\r\ncapability often used by threat actors for lateral movement and execution.\r\nThe two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note (Stage\r\n1). The MBR is the part of a hard drive that tells the computer how to load its operating system. The ransom note\r\ncontains a Bitcoin wallet and Tox ID (a unique account identifier used in the Tox encrypted messaging protocol)\r\nthat have not been previously observed by MSTIC:\r\nYour hard drive has been corrupted.\r\nIn case you want to recover all hard drives\r\nof your organization,\r\nYou should pay us $10k via bitcoin wallet\r\n1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via\r\ntox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65\r\nwith your organization name.\r\nWe will contact you to give further instructions.\r\nThe malware executes when the associated device is powered down. Overwriting the MBR is atypical for\r\ncybercriminal ransomware. In reality, the ransomware note is a ruse and that the malware destructs MBR and the\r\ncontents of the files it targets. There are several reasons why this activity is inconsistent with cybercriminal\r\nransomware activity observed by MSTIC, including:\r\nRansomware payloads are typically customized per victim. In this case, the same ransom payload was\r\nobserved at multiple victims.\r\nVirtually all ransomware encrypts the contents of files on the filesystem. The malware in this case\r\noverwrites the MBR with no mechanism for recovery. \r\nExplicit payment amounts and cryptocurrency wallet addresses are rarely specified in modern criminal\r\nransom notes, but were specified by DEV-0586. The same Bitcoin wallet address has been observed across\r\nall DEV-0586 intrusions and at the time of analysis, the only activity was a small transfer on January 14.\r\nIt is rare for the communication method to be only a Tox ID, an identifier for use with the Tox encrypted\r\nmessaging protocol. Typically, there are websites with support forums or multiple methods of contact\r\n(including email) to make it easy for the victim to successfully make contact.\r\nhttps://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\r\nPage 2 of 4\n\nMost criminal ransom notes include a custom ID that a victim is instructed to send in their communications\r\nto the attackers. This is an important part of the process where the custom ID maps on the backend of the\r\nransomware operation to a victim-specific decryption key. The ransom note in this case does not include a\r\ncustom ID.\r\nMicrosoft will continue to monitor DEV-0586 activity and implement protections for our customers. The current\r\ndetections, advanced detections, and IOCs in place across our security products are detailed below.\r\nStage 2: File corrupter malware\r\nStage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the\r\nnext-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. The next-stage malware can best be described as a malicious file corrupter. Once executed in memory, the corrupter locates\r\nfiles in certain directories on the system with one of the following hardcoded file extensions:\r\n.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .\r\nIf a file carries one of the extensions above, the corrupter overwrites the contents of the file with a fixed number of\r\n0xCC bytes (total file size of 1MB). After overwriting the contents, the destructor renames each file with a\r\nseemingly random four-byte extension. Analysis of this malware is ongoing.\r\nRecommended customer actions\r\nMSTIC and the Microsoft security teams are working to create and implement detections for this activity. To date,\r\nMicrosoft has implemented protections to detect this malware family as WhisperGate (e.g.,\r\nDoS:Win32/WhisperGate.A!dha) via Microsoft Defender Antivirus and Microsoft Defender for Endpoint,\r\nwherever these are deployed on-premises and cloud environments. We are continuing the investigation and will\r\nshare significant updates with affected customers, as well as public and private sector partners, as get more\r\ninformation. The techniques used by the actor and described in the this post can be mitigated by adopting the\r\nsecurity considerations provided below:\r\nUse the included indicators of compromise to investigate whether they exist in your environment and assess\r\nfor potential intrusion.\r\nReview all authentication activity for remote access infrastructure, with a particular focus on accounts\r\nconfigured with single factor authentication, to confirm authenticity and investigate any anomalous activity.\r\nEnable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that\r\nMFA is enforced for all remote connectivity.  NOTE: Microsoft strongly encourages all customers\r\ndownload and use password-less solutions like Microsoft Authenticator to secure accounts.\r\nEnable Controlled folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR\r\nmodification.\r\nIndicators of compromise (IOCs)\r\nhttps://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\r\nPage 3 of 4\n\nThe following list provides IOCs observed during our investigation. We encourage customers to investigate these\r\nindicators in their environments and implement detections and protections to identify past related activity and\r\nprevent future attacks against their systems.\r\nIndicator Type Description\r\na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 SHA-256\r\nHash of\r\ndestructive\r\nmalware\r\nstage1.exe\r\ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 SHA-256\r\nHash of\r\nstage2.exe\r\ncmd.exe /Q /c start c:\\stage1.exe 1\u003e \\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP]\r\n2\u003e\u00261\r\nCommand\r\nline\r\nExample\r\nImpacket\r\ncommand\r\nline\r\nshowing the\r\nexecution\r\nof the\r\ndestructive\r\nmalware.\r\nThe\r\nworking\r\ndirectory\r\nhas varied\r\nin observed\r\nintrusions.\r\nNOTE: These indicators should not be considered exhaustive for this observed activity.\r\nDetections\r\nMicrosoft 365 Defender\r\nAntivirus\r\nDoS:Win32/WhisperGate.A!dha\r\nDoS:Win32/WhisperGate.C!.dha\r\nDoS:Win32/WhisperGate.H!dha\r\nDoS:Win32/WhisperGate.X!dha\r\nSource: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\r\nhttps://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/" ], "report_names": [ "destructive-malware-targeting-ukrainian-organizations" ], "threat_actors": [ { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434409, "ts_updated_at": 1775826715, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f945b7a1e05e36603f3cfb1e3bc453e413aad79d.pdf", "text": "https://archive.orkl.eu/f945b7a1e05e36603f3cfb1e3bc453e413aad79d.txt", "img": "https://archive.orkl.eu/f945b7a1e05e36603f3cfb1e3bc453e413aad79d.jpg" } }