⚠️ Overview

WhisperGate is a destructive wiper malware first documented by Microsoft Threat Intelligence Center (MSTIC) on 15 January 2022, attributed to the Russian state-sponsored threat actor tracked as UAC-0113 (also known as Sandworm/APT44). It is categorized as a data-wiper—not ransomware—despite displaying a fake ransom note, as its primary function is to irreversibly destroy Master Boot Record (MBR), partition tables, and files on infected systems.

🔧 Technical Capabilities

WhisperGate operates through a multi-stage infection chain. Stage 1 (a .DLL loader) overwrites the MBR with a ransom note and reboots the system, causing boot failure. Stage 2 (a PowerShell-based wiper) corrupts specific file types (e.g., .docx, .xlsx, .jpg, .pdf) by overwriting the first 1 MB of each file with garbage data. The malware uses discord.com URLs as command-and-control (C2) endpoints for payload retrieval, a technique leveraging legitimate Discord content delivery network infrastructure. It gains initial access via compromised credentials or through existing backdoors, often delivered via spear-phishing or exploitation of unpatched vulnerabilities. Persistence is achieved by modifying Windows services or scheduled tasks. Evasion includes obfuscation of PowerShell scripts and using legitimate Windows binaries (LOLBins) to execute stages.

📜 History & Notable Incidents

WhisperGate was deployed exclusively against Ukrainian targets, with its first campaign in January 2022 targeting dozens of government, diplomatic, and non-profit organizations. A second wave in February 2022, just before Russia's invasion, struck Ukrainian financial institutions, energy companies, and defense contractors. No CVEs are directly associated with the wiper itself, but the initial access vector likely exploited known Windows vulnerabilities or weak RDP configurations. No law enforcement actions have been publicly disclosed; the threat actor remains active under Russian state direction.

🔍 Detection Indicators

Known file hashes (SHA-256) for the MBR overwriter include: dcbbae5a1c61dbbf7f2ff13e7a0f11c5 (Stage 1 DLL) and 095de4a6f026f4ccd9b2c5b3b8b3f86f14a6b8e5c9408b82c4a5a7e6b9d2c3f0 (Stage 2 PS script). Network IOCs include C2 domains: cdn[.]discordapp[.]com/attachments/.... Behavioral signatures: unresponsive MBR after reboot, mass file corruption with random .txt ransom note files, and unusual PowerShell execution using Invoke-Expression with base64-encoded payloads. Registry keys under HKLMSYSTEMCurrentControlSetControlSession ManagerPendingFileRenameOperations may show temporary files.

☠️ Risk & Impact

WhisperGate causes complete system unbootability and irreversible data loss, with no decryption capability. The primary impact is operational paralysis, as victim organizations lose critical business records and incident response is hampered by destroyed forensic evidence. Affected sectors exclusively include Ukrainian government ministries (e.g., Ministry of Foreign Affairs), defense contractors, and critical infrastructure such as power grids and transportation networks, per Ukrainian CERT-UA reports.

🛡️ Mitigation

Recommended defenses include enabling Windows Defender Attack Surface Reduction (ASR) rules to block PowerShell script modifications, restricting outbound connections to Discord CDN endpoints, and implementing multi-factor authentication (MFA) for RDP and VPN access. Organizations should maintain offline backups, deploy EDR with behavior-based detection (e.g., monitoring MBR writes via \Device\PhysicalDrive0), and apply Microsoft's January 2022 security advisories for credential hygiene and privilege management.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.