Saturday 1 October 2022

"Analysis of cyberweapons" course

I got requests from my colleagues from the US and EU universities to come up with the "Analysis of cyberweapons" course in English. In the first video, I start the series devoted to the analysis of the Russian cyberweapons used in the Russia-Ukraine war. 

The lessons will be published on my Patreon ( and YouTube channel (

For Ukrainians:

Monday 4 April 2022

Russian SaintBear Group Attacked Ukrainian Government Agencies Using GraphSteel & GrimPlant malware



  • Name: ‘Заборгованість по зарплаті.xls’

  • Discovered in March 2022

  • Was used in attacks against Ukrainian government agencies

  • Used to download GraphSteel and GrimPlant (a.k.a. Elephant) malware

  • Spreads via phishing emails as ‘.xls’ file with malicious VisualBasic script

  • ‘.xls’ file contains the encoded payload

  • Extracted file has PE64 format and written in Golang, downloads one file from the remote server

  • The downloaded file is PE64 and written in Golang. It downloads GraphSteel and GrimPlant malware.

  • The attack has been attributed to UAC-0056 also known as SaintBear, UNC2589, and TA471 which is known to attack Ukraine and Georgia since 2021. 

Thursday 17 March 2022

Analysis of CaddyWiper



  • Name: CaddyWiper

  • Discovered in March 2022

  • Was used in a targeted attack in Ukraine

  • Deployed via Microsoft Active Directory GPO

  • Corrupts files and disk partitions

  • PE32 sample written in C++

  • Compiled on the same day when it was deployed on targeted systems in Ukraine

by Denis Popov

Wednesday 26 January 2022

Analysis of WhisperGate


Summary of the attack

  • Name: WhisperGate

  • Discovered in January 2022

  • Used in a targeted attack against the Ukrainian government websites on the 14th of January, 2022

  • Overwrites the contents of files with the fixed number of bytes

  • Rewrites MBR, corrupts victims’ files, downloads and drops its own files

  • Corrupted files have a random 4-byte extension

  • Comes with 2 stages, PE64 written in C++ and .NET application with fake digital signatures

  • The third stage is .NET DLL, which is downloaded at runtime

                                                                                                by Denis Popov and Alexander Adamov

Friday 2 October 2020

Reinforcement Learning for Anti-Ransomware Testing

ML models have recommended themselves as a powerful tool for cyberdefense. AI/ML is heavily used in antiviruses (EDR), Next-Gen Firewalls, and SIEM (SOAR) solutions to solve the classification problem as well as to discover anomalous behavior that may indicate a presence of an attacker with the help of Supervised and Unsupervised Learning. Deep Learning helps to filter spam emails and mark fake news to protect users against disinformation [1].

Thursday 26 March 2020

AI and Cybersecurity. Part 4 - Clustering URLs

In Part 3, we tried to apply the feature scaling and dimensionality reduction techniques to the dataset with phishing and benign URLs. As a result, we were able to clearly see the distribution of URLs between two classes based on four attributes: registrar, country, lifetime, and protocol.

But what if we don’t have labels (phishing and benign) for the Internet links in the beginning. Will ML still work to detect phishing attacks? In this case, we may come to unsupervised learning, in particular, clustering. Clustering enables grouping objects of unknown classes according to common features so that we do not need labeled data for a training set.

Wednesday 18 March 2020

AI and Cybersecurity. Part 3 - Dimensionality Reduction and Feature Scaling

In the previous post, we created a binary classifier for detecting phishing URLs. Here, we're going to continue exploring the data with visualization techniques.