S0689: WhisperGate
WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.[1][2][3]
Analyst context for executives and security teams
WhisperGate matters because ATT&CK describes it as a multi-stage Windows wiper designed to look like ransomware and used against government, non-profit, and IT organizations in Ukraine since at least January 2022. For leaders, the key decision point is not ransom negotiation readiness; it is destructive-malware resilience: can the organization identify suspicious execution early, preserve evidence, isolate affected systems, and restore critical services from trusted backups if data or disk content is destroyed?
Executive priority
Treat this as a resilience and incident-command scenario. The ATT&CK relationships connect WhisperGate to execution via PowerShell, Windows Command Shell, Visual Basic, Native API, and InstallUtil; stealth through masquerading, encoded files, process hollowing, token-based process creation, and cleanup; discovery of files, shares, systems, and security tools; command-and-control over web services/protocols; and impact through data destruction, disk content wiping, and shutdown/reboot. Executives should ask whether destructive-malware playbooks, backup recovery evidence, endpoint visibility, privileged access controls, and crisis communications are tested for a fast-moving Windows incident.
Technical view
SOC and IR teams should validate coverage around the mapped behaviors rather than relying on a single malware signature, especially because the official ATT&CK object provides no dedicated detection text. Focus on Windows execution telemetry for PowerShell, cmd, VB-related execution, Native API-heavy behavior, InstallUtil proxy execution, suspicious process hollowing, and processes created with alternate tokens. Correlate those signals with file/share discovery, security software discovery, ingress tool transfer, web-based C2 patterns, file deletion, reboot activity, and destructive writes consistent with data or disk-content wiping. ATT&CK also relates WhisperGate to Ember Bear use; use that as threat-intelligence context, not as automatic attribution for local incidents.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell script block/module/transcription logs where enabled
- Windows Command Shell execution records
- VB/script execution evidence
- InstallUtil execution and .NET binary load activity
Detection direction
- Build behavior-based detections around the ATT&CK relationships: suspicious script execution, proxy execution through InstallUtil, encoded/deobfuscated content, masqueraded binaries, process hollowing, token-based process creation, and unusual file/share discovery.
- Tune impact detections for destructive patterns: rapid file deletion or overwrite, disk-content wipe indicators, unexpected shutdown/reboot activity, and combinations of discovery followed by destructive writes.
- Correlate endpoint and network signals. Web protocols and legitimate web services can be noisy, so detections should consider unusual process lineage, newly transferred tools, rare destinations, and timing relative to local execution.
- Validate blind spots explicitly: missing PowerShell logging, incomplete command-line capture, limited memory/process telemetry, weak SMB/share enumeration visibility, lack of disk-write monitoring, and backup systems not monitored for tampering or destructive activity.
- Use the Ember Bear relationship as enrichment for threat hunting and reporting context, while avoiding automatic attribution without local evidence.
Mitigation priorities
- Prioritize tested, offline or otherwise resilient backups for critical Windows systems and business data; confirm restore speed and integrity, not just backup existence.
- Harden and monitor administrative execution paths: PowerShell, cmd, VB/script execution, InstallUtil, and other trusted utilities that can proxy execution.
- Apply least privilege and privileged access controls to reduce the value of token abuse and unauthorized destructive actions.
- Segment critical services and restrict unnecessary access to network shares to limit discovery and propagation opportunities.
- Ensure endpoint detection, logging, and incident response processes can preserve evidence and isolate hosts quickly during suspected destructive activity.
Analyst notes and limits
The official ATT&CK description identifies WhisperGate as a multi-stage wiper made to resemble ransomware and used against multiple Ukrainian government, non-profit, and IT organizations. ATT&CK relationships provide the most useful defensive context: execution, stealth, discovery, command-and-control, and impact behaviors. Because no official detection guidance is supplied, this take emphasizes validation of telemetry and behavior coverage rather than claiming specific detection efficacy.
This assessment is limited to the supplied ATT&CK STIX fields, external references, and relationships. The object lists Windows as the malware platform and does not provide official detection text, aliases, or tactics for the malware object itself. Local conclusions require environment-specific evidence such as logs, endpoint alerts, file samples, network records, and recovery-test results.
WhisperGate
WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1542.003 | Bootkit Sub-technique | WhisperGate overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots.CitationCrowdstrike WhisperGate January 2022CitationCybereason WhisperGate February 2022CitationMicrosoft WhisperGate January 2022CitationCisco Ukraine Wipers January 2022CitationMedium S2W WhisperGate January 2022 |
| Enterprise | T1620 | Reflective Code Loading | WhisperGate's downloader can reverse its third stage file bytes and reflectively load the file as a .NET assembly.CitationRecordedFuture WhisperGate Jan 2022 |
| Enterprise | T1485 | Data Destruction | WhisperGate can corrupt files by overwriting the first 1 MB with `0xcc` and appending random extensions.CitationMicrosoft WhisperGate January 2022CitationCrowdstrike WhisperGate January 2022CitationCybereason WhisperGate February 2022CitationUnit 42 WhisperGate January 2022CitationCisco Ukraine Wipers January 2022CitationMedium S2W WhisperGate January 2022 |
| Enterprise | T1685 | Disable or Modify Tools | WhisperGate can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\ drive.CitationUnit 42 WhisperGate January 2022CitationCisco Ukraine Wipers January 2022CitationMedium S2W WhisperGate January 2022 |
| Enterprise | T1083 | File and Directory Discovery | WhisperGate can locate files based on hardcoded file extensions.CitationMicrosoft WhisperGate January 2022CitationUnit 42 WhisperGate January 2022CitationCisco Ukraine Wipers January 2022CitationMedium S2W WhisperGate January 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.CitationUnit 42 WhisperGate January 2022CitationCisco Ukraine Wipers January 2022CitationMedium S2W WhisperGate January 2022 |
| Enterprise | T1218.004 | InstallUtil Sub-technique | WhisperGate has used `InstallUtil.exe` as part of its process to disable Windows Defender.CitationUnit 42 WhisperGate January 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.CitationCisco Ukraine Wipers January 2022CitationMedium S2W WhisperGate January 2022CitationRecordedFuture WhisperGate Jan 2022 |
| Enterprise | T1106 | Native API | WhisperGate has used the `ExitWindowsEx` to flush file buffers to disk and stop running processes and other API calls.CitationCisco Ukraine Wipers January 2022CitationRecordedFuture WhisperGate Jan 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | WhisperGate can make an HTTPS connection to download additional files.CitationUnit 42 WhisperGate January 2022CitationMedium S2W WhisperGate January 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | WhisperGate can delete tools from a compromised host after execution.CitationCisco Ukraine Wipers January 2022 |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | WhisperGate can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader.CitationMicrosoft WhisperGate January 2022CitationCrowdstrike WhisperGate January 2022CitationCybereason WhisperGate February 2022CitationUnit 42 WhisperGate January 2022CitationCisco Ukraine Wipers January 2022CitationMedium S2W WhisperGate January 2022 |
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | WhisperGate can overwrite sectors of a victim host's hard drive at periodic offsets.CitationCrowdstrike WhisperGate January 2022CitationCisco Ukraine Wipers January 2022CitationMedium S2W WhisperGate January 2022 |
| Enterprise | T1497.001 | System Checks Sub-technique | WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.CitationUnit 42 WhisperGate January 2022 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | WhisperGate can recognize the presence of monitoring tools on a target system.CitationUnit 42 WhisperGate January 2022 |
| Enterprise | T1135 | Network Share Discovery | WhisperGate can enumerate connected remote logical drives.CitationCisco Ukraine Wipers January 2022 |
| Enterprise | T1569.002 | Service Execution Sub-technique | WhisperGate can download and execute AdvancedRun.exe via `sc.exe`.CitationMedium S2W WhisperGate January 2022CitationUnit 42 WhisperGate January 2022 |
| Enterprise | T1529 | System Shutdown/Reboot | WhisperGate can shutdown a compromised host through execution of `ExitWindowsEx` with the `EXW_SHUTDOWN` flag.CitationCisco Ukraine Wipers January 2022 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility `InstallUtil.exe`.CitationCisco Ukraine Wipers January 2022CitationRecordedFuture WhisperGate Jan 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | WhisperGate can use `cmd.exe` to execute commands.CitationUnit 42 WhisperGate January 2022 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | WhisperGate can use a Visual Basic script to exclude the `C:\` drive from Windows Defender.CitationUnit 42 WhisperGate January 2022CitationCisco Ukraine Wipers January 2022 |
| Enterprise | T1134.002 | Create Process with Token Sub-technique | The WhisperGate third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group via `%TEMP%\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run`.CitationCisco Ukraine Wipers January 2022 |
| Enterprise | T1102 | Web Service | WhisperGate can download additional payloads hosted on a Discord channel.CitationCrowdstrike WhisperGate January 2022CitationUnit 42 WhisperGate January 2022CitationMicrosoft WhisperGate January 2022CitationCisco Ukraine Wipers January 2022CitationMedium S2W WhisperGate January 2022 |
| Enterprise | T1680 | Local Storage Discovery | WhisperGate has the ability to enumerate fixed logical drives on a targeted system.CitationCisco Ukraine Wipers January 2022 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | WhisperGate can pause for 20 seconds to bypass antivirus solutions.CitationMedium S2W WhisperGate January 2022CitationRecordedFuture WhisperGate Jan 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.CitationCisco Ukraine Wipers January 2022CitationMedium S2W WhisperGate January 2022 |
| Enterprise | T1036 | Masquerading | WhisperGate has been disguised as a JPG extension to avoid detection as a malicious PE file.CitationMedium S2W WhisperGate January 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | WhisperGate can download additional stages of malware from a Discord CDN channel.CitationMicrosoft WhisperGate January 2022CitationUnit 42 WhisperGate January 2022CitationCisco Ukraine Wipers January 2022CitationMedium S2W WhisperGate January 2022 |
Groups, software, and campaigns
G1003: Ember Bear
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | c9b8d3591578… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason WhisperGate February 2022
Cybereason Nocturnus. (2022, February 15). Cybereason vs. WhisperGate and HermeticWiper. Retrieved March 10, 2022.
Open source URL -
[2]
Unit 42 WhisperGate January 2022
Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
Open source URL -
[3]
Microsoft WhisperGate January 2022
MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022.
Open source URL -
[4]
mitre-attack S0689Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.