Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 2 actors

WhiteLock

WhiteLock is ransomware associated with Iranian-aligned cyber activity and tracked in reporting on operations linked to Cotton Sandstorm, also known as Haywire Kitten. Check Point Research reported that Cotton Sandstorm pre-positioned WezRat and WhiteLock before the February 28, 2026 strikes, and that intrusions involving the group used WezRat, a custom modular infostealer, followed in some cases by deployment of WhiteLock ransomware. Multiple cited reports state that WhiteLock was deployed specifically against Israeli targets, and that Cotton Sandstorm also used the Altoufan Team persona for hack-and-leak amplification. The available content does not provide technical details on WhiteLock’s encryption routine, persistence, propagation, ransom note format, or specific indicators of compromise beyond its observed association with Cotton Sandstorm/Haywire Kitten, prior WezRat deployment, and targeting of Israeli organizations in the context of the 2026 regional conflict.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Cotton Sandstorm

Cotton Sandstorm deployed WezRat and WhiteLock alongside the Altoufan persona for hack-and-leak amplification.

via centripetal threat researchcentripetal.ai
Handala

...attacks using ‘WhiteLock’ ransomware, deployed after WezRat infostealer.

via checkpoint research blogresearch.checkpoint.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique
T1486Data Encrypted for ImpactEvidence1

“attacks using ‘WhiteLock’ ransomware, deployed after WezRat infostealer.”

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
scworldNews
Apr 2, 2026
4 steps teams can take to mitigate Iranian cyberattacks on critical infrastructure | perspective | SC Media

A backdoor or access tool reportedly pre-positioned by Cotton Sandstorm before the February 28 strikes.

Read more
centripetal threat researchNews
Mar 20, 2026
Pre-Positioned Access: The Cyber Threat Behind the Iran… | Centripetal

Malware deployed by Cotton Sandstorm alongside WezRat for hack-and-leak amplification.

Read more
register securityNews
Mar 2, 2026
Iran's cyberwar has begun • The Register

Ransomware deployed following intrusions attributed to Cotton Sandstorm, reported as used specifically against Israeli targets in the described activity.

Read more
checkpoint research blogNews
Feb 23, 2026
2025: The Untold Stories of Check Point Research - Check Point Research

Ransomware used in Iran-aligned disruptive campaigns targeting Israel; noted as deployed after WezRat infostealer.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.