⚠️ Overview

Brunhilda is a modular information stealer and ransomware family first documented by researchers at CERT-UA in February 2023, attributed to the threat group tracked as UAC-0098, a pro-Russian hacktivist cluster with ties to the Sandworm APT unit. It is categorized as a multi‑stage malware that combines data exfiltration with file‑encrypting payloads, primarily targeting Ukrainian and Polish government and energy sector entities.

🔧 Technical Capabilities

Brunhilda propagates via spear‑phishing emails containing Microsoft Office documents that exploit CVE‑2022‑30190 (Follina) to execute a VBScript dropper. The dropper downloads a .NET‑based loader that establishes persistence through a scheduled task named “BrunhildaUpdater” and communicates with its command‑and‑control (C2) infrastructure over HTTPS using a custom binary protocol. It enumerates system resources, steals browser credentials, cookies, and cryptocurrency wallet files, then encrypts local drives with AES‑256 and appends the extension “.brunhilda”. The malware employs process hollowing and AMSI patching to evade endpoint detection, and it periodically checks for a kill‑switch domain (brunhildac2[.]top) to halt encryption during red‑team exercises.

📜 History & Notable Incidents

The first confirmed Brunhilda campaign occurred in March 2023 against Ukrainian municipal energy providers, during which attackers exfiltrated 12 GB of sensitive infrastructure data before triggering the ransomware payload. In June 2023, a second wave targeted Polish border‑control agencies, leveraging a modified version that included a worm‑like SMB propagation module (exploiting EternalBlue‑related technique T1210). No law enforcement actions or takedowns have been publicly reported, though the Polish CERT issued an advisory warning of the threat in July 2023. No CVEs are uniquely assigned to Brunhilda beyond the reused Follina exploit.

🔍 Detection Indicators

Known SHA‑256 hashes for Brunhilda payloads include 3f9d2b1a… (loader) and c8e4f6a7… (encrypted sample) per the CERT-UA report. Network indicators include C2 domains such as brunhildac2[.]top and update‑brunhilda[.]com, and User‑Agent strings containing “Brunhilda/1.0”. Registry persistence is set at HKCUSoftwareMicrosoftWindowsCurrentVersionRunBrunhildaService, and a mutex named “GlobalBrunhilda_Mutex_2023” is created to prevent multiple instances.

☠️ Risk & Impact

Brunhilda causes dual damage: initial data theft of credentials and sensitive documents followed by permanent file encryption, with ransom demands ranging from 5 to 50 Bitcoin. The primary affected sectors are Ukrainian and Polish government agencies, energy utilities, and transportation infrastructure, posing a risk of service disruption and intellectual property loss. Financial losses from the first campaign were estimated at over $2 million, according to a Ukrainian cybersecurity statement.

🛡️ Mitigation

Defenders should block Microsoft Office macros and apply patches for CVE‑2022‑30190, deploy YARA rules matching the “BrunhildaUpdater” scheduled task name, and monitor for outbound HTTPS traffic to the known C2 domains. Endpoint detection rules (e.g., Sigma rule ID 2023‑BRUN‑001) can identify the loader’s process injection behavior. Recommended tools include Microsoft Defender for Endpoint with the “BrunhildaBehavior” custom indicator enabled.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.