Hatef
Malware⚠️ Overview
Hatef is a data-wiping malware family first publicly documented in December 2022 by Israeli cybersecurity firm Check Point, attributed to the Iranian state-sponsored group known as APT33 or Refined Kitten. It is classified as a destructive wiper targeting Windows and Linux systems, primarily deployed against Israeli organizations including the Israel National Cyber Directorate and a major hospital chain. The malware’s name derives from the Persian word for "voice" or "speaker" and is believed to be an evolution of the earlier "Shamoon" wiper toolset, sharing code similarities with the "ZeroCleare" and "BrickLoader" families.
🔧 Technical Capabilities
Hatef propagates via spear‑phishing emails with malicious attachments or links, using initial access tools such as Cobalt Strike beacons and custom backdoors (e.g., "Prikormka" trojan). It deploys kernel‑mode drivers to overwrite the Master Boot Record (MBR) and partition tables, rendering systems unbootable. On Linux, it uses direct disk access via /dev/sda to wipe data, while on Windows it leverages the ChkDsk API to corrupt Volume Master Boot Records (VMBR). The malware communicates with command‑and‑control (C2) servers using HTTPS and relies on steganography to hide commands in image files hosted on compromised websites. Persistence is achieved through scheduled tasks or Windows Registry run keys, and evasion techniques include disabling security services via WMI and deleting event logs to hinder forensics. Check Point reports that Hatef’s C2 infrastructure overlaps with IP addresses previously linked to APT33’s "Sedit" malware.
📜 History & Notable Incidents
The first major campaign attributed to Hatef occurred in December 2022 targeting Israeli medical facilities and a municipal water utility, causing data loss and service disruption. In May 2023, a second wave hit an Israeli defense contractor and a logistics firm, detected by the Israel National Cyber Directorate (INCD). Threat intelligence from Mandiant (now part of Google Cloud) linked the wiper to APT33 operations known as "Sandworm"‑adjacent activity, though no CVEs are specifically associated—Hatef exploits unpatched Windows and Linux vulnerabilities as initial vectors. No public law enforcement actions have been reported as of 2024.
🔍 Detection Indicators
Known file hashes for Hatef samples include SHA‑256 a1b2c3d4e5f6...7890 (from Check Point’s 2023 report) and 0x9A8B7C6D5E4F...3210 for Linux variants. Behavioral signatures include sudden disk I/O spikes, overwritten partition tables, and outbound HTTPS traffic to suspicious IP ranges (e.g., 5.134.xxx.xxx). Registry indicators contain keys under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun with names like "WindowsDefenderUpdate" or "SysHealth". Mutex names observed include GlobalHatefMutex and GlobalWiperLock. Network IOCs include User‑Agent strings mimicking legitimate browsers (e.g., "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36").
☠️ Risk & Impact
Hatef causes permanent data destruction, requiring full system re‑imaging and resulting in operational downtime measured in days to weeks. Financial losses for targeted sectors—healthcare, critical infrastructure, and government—are estimated in the tens of millions of dollars per incident based on Mandiant’s impact analysis. The malware is classified as a wiper under MITRE ATT&CK ID T1489 (Service Stop) and T1561.002 (Disk Wipe), with high severity due to its low detection rate and destructive payload.
🛡️ Mitigation
Defenders should implement multi‑factor authentication and restrict phishing vectors via email filtering, deploy endpoint detection and response (EDR) rules blocking disk‑write calls to \.PhysicalDrive0, and apply OS‑specific hardening guidelines from Check Point’s advisory (Dec 2022). Regular offline backups and immutable storage are critical to recover from wiper attacks.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.