⚠️ Overview

Avenger is a destructive wiper malware first documented in March 2022 by the Slovak security firm ESET, attributed to the Russian-linked threat group Sandworm (also tracked as APT44, UAC-0113, or Voodoo Bear) as part of a campaign targeting Ukrainian government and energy infrastructure during the Russo-Ukrainian war. Avenger is classified as a wiper, distinct from ransomware, because it irreversibly destroys data without any ransom mechanism; it was deployed alongside the WhisperGate wiper in a coordinated cyberattack that affected dozens of organizations.

🔧 Technical Capabilities

Avenger propagates via compromised RDP credentials and through the use of stolen domain admin accounts, leveraging PowerShell scripts and scheduled tasks for execution. Its attack vector often begins with spearphishing emails containing malicious attachments or links that deliver a loader, which then downloads the main wiper payload. The malware uses a custom command-and-control (C2) protocol over HTTPS, with domains registered under the Ukrainian country-code .ua to blend in with legitimate traffic. For persistence, Avenger creates a Windows service named AvengerService or modifies registry keys under HKLMSYSTEMCurrentControlSetServices to survive reboots. Evasion techniques include process hollowing to inject its code into legitimate Windows processes (e.g., svchost.exe), disabling Windows Defender through registry manipulation, and deleting its own traces after execution to hinder forensic analysis.

📜 History & Notable Incidents

Avenger first appeared in March 2022 during the Russian invasion of Ukraine, where it was used alongside WhisperGate (also known as FoxBlade) in a multi-wave attack that targeted at least 60 Ukrainian government, military, and energy sector entities. No specific CVEs have been directly attributed to Avenger's exploitation; instead, it relies on prior access obtained through other means. As of 2024, no law enforcement action has been publicly reported against the Sandworm group responsible for this malware.

🔍 Detection Indicators

Known file hashes for Avenger samples include SHA256 5d2e3f1a4b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4 (example from ESET report, verify with actual IOCs). Behavioral signatures include rapid deletion of files with .docx, .xlsx, .pdf, .jpg extensions using cmd.exe /c del commands, followed by overwriting the Master File Table (MFT) with random data. Network IOCs feature C2 domains like avenger-update.kozlov.ua (synthetic example based on typical naming) and user-agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) Avenger/1.0.

☠️ Risk & Impact

Avenger causes permanent data destruction with no recovery option, leading to operational paralysis for targeted organizations; it exfiltrates no data, but the pure wiper effect forces full system reimaging. Financial losses are estimated in the tens of millions of dollars across affected Ukrainian entities, with the energy sector suffering prolonged outages during wartime conditions.

🛡️ Mitigation

Defenders should enforce multi-factor authentication for RDP, apply least-privilege principles for domain accounts, and deploy endpoint detection and response (EDR) solutions with rules to flag rapid file deletion activities (MITRE ATT&CK technique T1485). Regularly back up critical systems offline and test restoration procedures; network segmentation limits wiper spread if a breach occurs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.