TTPs used by DEV-0586 APT Group in WhisperGate Attack Targeting Ukraine

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


On January 15, 2021, Microsoft Threat Intelligence Center (MSTIC) published a blog post stating that nation-state threat group DEV-0586 has been conducting destructive malware operations on Ukrainian organizations. In this blog, we share information about the simulation and mitigation of these malware attacks to help the cybersecurity community.

WhisperGate Wiper Malware

WhisperGate is a two-stage wiper malware that misrepresents itself as ransomware. The initial access stage for the malware is unknown at the moment. However, it is suspected to be a supply chain attack [1].

In its first stage, WhisperGate malware overwrites Master Boot Records (MBR) with a fake ransom note. Since the MBR is overwritten, it is not possible to recover it. Therefore, the ransom note is a misdirection, paying the ransom would not help recover lost data. After the first stage of the malware overwrites the MBR, powering down the infected system effectively bricks the system making it unable to boot up.

In its second stage, WhisperGate malware corrupts files with certain extensions and in certain directories by overwriting them with 0xCC bytes. After overwriting and corrupting files, the malware renames the files with a random four-byte extension.

Validate your Security Controls Against WhisperGate Malware Now

TTPs Used by DEV-0586 APT Group in WhisperGate Campaign

DEV-0586 hacking group uses the following tactics, techniques, and procedures (TTPs) in their WhisperGate wiper malware campaign:

Tactic: Execution

MITRE ATT&CK T1059.003 Command and Scripting Interpreter: Windows Command Shell

The first stage of WhisperGate malware uses the following Windows Command Shell command to execute the destructive malware:

cmd.exe /Q /c start c:\stage1.exe 1> \\\ADMIN$\__[TIMESTAMP] 2>&1

MITRE ATT&CK T1059.001 Command and Scripting Interpreter: PowerShell

The second stage of WhisperGate malware uses PowerShell commands to connect its Command and Control (C2) server and download additional payloads [2].


The -enc parameter is used in this PowerShell command. However, there is not a parameter named -enc according to the official PowerShell documentation. In fact, the -enc parameter is completed by PowerShell as the -EncodedCommand parameter because of the parameter substring completion feature of PowerShell.

-EncodedCommand accepts a base-64-encoded string version of a command. Therefore, we must use base64 decoding to reveal the following PowerShell command:

Start-Sleep -s 10

Base64 Encoded



Start-Sleep -s 10

Tactic: Defense Evasion & Persistence

MITRE ATT&CK T1542.003 Pre-OS Boot: Bootkit

The first stage of WhisperGate modifies the Master Boot Record (MBR). Since the altered MBR is the first section of the disk after completing hardware initialization by the BIOS, the malware evades defense.

MITRE ATT&CK T1027 Obfuscated Files or Information

The second stage of WhisperGate malware delivers PowerShell commands in Base64  

Tactic: Discovery

MITRE ATT&CK T1083 File and Directory Discovery

The second stage of WhisperGate searches for specific file extensions in certain directories to alter their content.

Tactic: Command and Control

MITRE ATT&CK T1105 Ingress Tool Transfer

The second stage of WhisperGate download file corruptor payload from Discord channel hosted by the APT group. The download link for the malicious executable is hardcoded in the stage2.exe. 

Tactic: Impact

MITRE ATT&CK T1561  Disk Wipe

The first stage of WhisperGate overwrites the Master Boot Record for impact. When the MBR is overwritten, the infected system does not boot up after power down.

The second stage of WhisperGate overwrites files and adversely affects their integrity. Also, the malware renames the files to further its impact.

WhisperGate Attack Simulations with Picus

Picus Continuous Security Validation Platform tests your security controls against WhisperGate malware variants and suggests related prevention methods.

Picus Labs advises you to simulate these malware families and determine the effectiveness of your security controls against them. Picus Threat Library consists of eight attack simulations for WhisperGate MBR Wiper malware of DEV-0586 APT group. 

Threat Name

WhisperGate MBR Wiper Malware used by DEV-0586 Threat Group .EXE File Download (1 Variant

WhisperGate MBR Wiper Downloader used by DEV-0586 Threat Group .EXE File Download (2 Variants)

WhisperGate MBR Wiper Malware used by DEV-0586 Threat Group .DLL File Download (5 Variants)

Validate your Security Controls Against WhisperGate Malware

Indicators of Compromises





























[1] F. Bajak, “Microsoft discloses malware attack on Ukraine govt networks,” Associated Press, 16-Jan-2022. [Online]. Available:

[2] Joe Security LLC, “Automated Malware Analysis Report for stage2.exe - Generated by Joe Sandbox,” Joe Security LLC. [Online]. Available: [Accessed: 17-Jan-2022]