Ukraine government entities targeted by a destructive malware “Whispergate”

Threat Level – Red | Vulnerability Report
Download PDF

For a detailed advisory, download the pdf file here.

A malware attack was carried out on Ukraine government, non-profit, and IT entities with a wiper disguised as ransomware. The threat actor, DEV-0586 targeted government bodies that provide critical executive branch or emergency response functions.

The attack using the malware “Whispergate” was preformed in two stages:

Stage 1: The malware overwrites the Master Boot Record to display a faked ransom note that requests the payment of a $10,000 ransomware in bitcoin.

Stage 2: Stage2.exe is a downloader for second stage malware that corrupts files and is hosted on a Discord channel. After that, the corrupter virus searches for files with hundreds of various extensions, overwrites their contents with a predetermined quantity of 0xCC bytes, and renames each file with an apparently random four-byte extension.

This attack is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.

Previously on 13th of January an attack by UNC1151 targeted at least 15 websites belonging to various Ukrainian public institutions were compromised, defaced, and subsequently taken offline. The attackers carried out a supply chain attack by using the vulnerability CVE-2021-32648 in October CMS which is a free content management system. Exploiting this vulnerability, the hackers could send a password reset request for an account in this system and then gain access to it.

The attacks are not linked currently but there is a huge possibility that they are carried simultaneously. To mitigate the risk organizations are advised to update October CMS to the latest version and also to monitor the hashes in their system.

Actor Details

Vulnerability Details

Indicators of Compromise (IoCs)


Patch Link


What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox