WhisperGate

Malware updated 22 days ago (2024-11-29T13:55:52.666Z)
Download STIX
Preview STIX
WhisperGate is a malicious software (malware) deployed by Unit 29155 cyber actors, known for their extensive use of this malware, particularly against Ukraine. The malware corrupts a system's master boot record, displays a fake ransomware note, and encrypts files based on specific file extensions. The deployment process involves two stages: stage1.exe and stage2.exe. WhisperGate is not exclusive to Unit 29155, as it has been used by other groups as well. It has also been associated with another malware called WhisperKill, which destroys files with specific extensions. The GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. Shortly after one such deployment, the actors exfiltrated data to mega[.]nz using Rclone. The Discord accounts associated with the WhisperGate campaign are categorized into three main clusters, labeled as Clusters 1, 2, and 3. A Cybersecurity Advisory provides tactics, techniques, and procedures (TTPs) associated with Unit 29155 cyber actors during and after their deployment of WhisperGate against Ukraine. In addition to WhisperGate and other incidents against Ukraine, Unit 29155 cyber actors have conducted computer network operations against numerous members of the North Atlantic Treaty Organization (NATO) in Europe and North America, as well as countries in Europe, Latin America, and Central Asia. Detailed technical analysis of the WhisperGate malware was conducted on samples collected from one victim, and further information is available in the joint advisory, "Destructive Malware Targeting Organizations in Ukraine," published on February 26, 2022.
Description last updated: 2024-11-21T10:45:44.872Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Whisperkill is a possible alias for WhisperGate. WhisperKill, also known as ShadyLook, is a destructive malware downloaded by another malicious software called WhisperGate (or PayWipe). As part of the broader family of wiper malware that includes DoubleZero, HermeticWiper, IsaacWiper, WhisperGate, CaddyWiper, and AcidRain, it is designed to exploi
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Wiper
Ukrainian
Russia
Ukraine
Blizzard
Windows
Apt
Government
Microsoft
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The HermeticWiper Malware is associated with WhisperGate. HermeticWiper is a destructive malware that was first disclosed by cybersecurity researchers on February 23, 2022. This malicious software was deployed against organizations in Ukraine, with the intent of destroying computer systems and rendering them inoperable. The malware infiltrates systems throUnspecified
4
The CaddyWiper Malware is associated with WhisperGate. CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWipUnspecified
4
The Isaacwiper Malware is associated with WhisperGate. IsaacWiper is a malicious software (malware) that has been identified as part of a series of cyberattacks against Ukraine in 2022. The malware is known to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites. Once inside, IsaacWiper can disruUnspecified
4
The Acidrain Malware is associated with WhisperGate. AcidRain is a malicious software, or malware, that was first described in March, following a cyberattack that disrupted approximately 10,000 satellite modems associated with communications provider Viasat's KA-SAT network. The malware was discovered by cybersecurity firm SentinelOne in February 2022Unspecified
2
The NotPetya Malware is associated with WhisperGate. NotPetya is a destructive malware that posed as ransomware, causing significant global damage in 2017. Despite its appearance as ransomware, NotPetya was not designed to extort money but rather to destroy data and disrupt operations, particularly targeting Ukraine's infrastructure. NotPetya was attrUnspecified
2
The Doublezero Malware is associated with WhisperGate. DoubleZero is a form of malware, specifically classified as a "wiper," that was discovered by CERT-UA on March 17th, 2022. Like other malicious software, it can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Unlike most malware, however, DouUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cadet Blizzard Threat Actor is associated with WhisperGate. Cadet Blizzard, a Russian threat actor, has emerged as a significant cybersecurity concern. Identified by the Microsoft Threat Intelligence Center in June 2023, Cadet Blizzard is linked to Russia's GRU military intelligence unit and has been operational since at least 2020. The group has demonstrateUnspecified
4
The Nodaria Threat Actor is associated with WhisperGate. Nodaria (UAC-0056), a Russia-sponsored threat actor, has been active since at least March 2021, primarily targeting Ukraine but also known to have targeted entities in Kyrgyzstan and Georgia. Initially relatively unknown, Nodaria's activities escalated significantly following the Russian invasion ofUnspecified
2
Source Document References
Information about the WhisperGate Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
a month ago
CISA
4 months ago
Checkpoint
3 months ago
DARKReading
3 months ago
InfoSecurity-magazine
3 months ago
Flashpoint
3 months ago
Securityaffairs
3 months ago
CISA
4 months ago
Securityaffairs
6 months ago
BankInfoSecurity
6 months ago
InfoSecurity-magazine
6 months ago
Securityaffairs
8 months ago
Securityaffairs
a year ago
Securityaffairs
2 years ago
MITRE
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
Securelist
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago