{ "id": "a0c4d5ac-5b2f-425f-85a3-2009900c036a", "created_at": "2026-04-06T00:06:14.412248Z", "updated_at": "2026-04-10T03:35:26.283442Z", "deleted_at": null, "sha1_hash": "06ad22c0cd67c62f1db106a602630e37fac1ddff", "title": "Second New 'IsaacWiper' Data Wiper Targets Ukraine After Russian Invasion", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 166424, "plain_text": "Second New 'IsaacWiper' Data Wiper Targets Ukraine After\r\nRussian Invasion\r\nBy The Hacker News\r\nPublished: 2022-03-01 · Archived: 2026-04-05 15:35:31 UTC\r\nA new data wiper malware has been observed deployed against an unnamed Ukrainian government network, a day\r\nafter destructive cyber attacks struck multiple entities in the country preceding the start of Russia's military\r\ninvasion.\r\nSlovak cybersecurity firm ESET dubbed the new malware \"IsaacWiper,\" which it said was detected on February\r\n24 in an organization that was not affected by HermeticWiper (aka FoxBlade), another data wiping malware that\r\ntargeted several organizations on February 23 as part of a sabotage operation aimed at rendering the machines\r\nunusable.\r\nFurther analysis of the HermeticWiper attacks, which infected at least five Ukrainian organizations, have revealed\r\na worm constituent that propagates the malware across the compromised network and a ransomware module that\r\nacts as a \"distraction from the wiper attacks,\" corroborating a prior report from Symantec.\r\nhttps://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html\r\nPage 1 of 3\n\n\"These destructive attacks leveraged at least three components: HermeticWiper for wiping the data,\r\nHermeticWizard for spreading on the local network, and HermeticRansom acting as a decoy ransomware,\" the\r\ncompany said.\r\nIn a separate analysis of the new Golang-based ransomware, Russian cybersecurity company Kaspersky, which\r\ncodenamed the malware \"Elections GoRansom,\" characterized it as a last-minute operation, adding it was \"likely\r\nused as a smokescreen for the HermeticWiper attack due to its non-sophisticated style and poor implementation.\"\r\nAs an anti-forensic measure, HermeticWiper is also designed to hinder analysis by erasing itself from the disk by\r\noverwriting its own file with random bytes.\r\nESET said it hasn't been able to find \"any tangible connection\" to attribute these attacks to a known threat actor.\r\nBut the malware artifacts unearthed so far make it clear that the intrusions had been planned for several months,\r\nwith the targeted entities suffering compromises well in advance of the wiper's deployment.\r\n\"This is based on several facts: the HermeticWiper PE compilation timestamps, the oldest being December 28,\r\n2021; the code-signing certificate issue date of April 13, 2021; and the deployment of HermeticWiper through the\r\ndefault domain policy in at least one instance, suggesting the attackers had prior access to one of that victim's\r\nActive Directory servers,\" said Jean-Ian Boutin, ESET head of threat research.\r\nAlso unknown are the initial access vectors used to deploy both the wipers, although it's suspected that the\r\nattackers leveraged tools like Impacket and RemCom, a remote access software, for lateral movement and\r\nmalware distribution.\r\nFurthermore, IsaacWiper shares no code-level overlaps with HermeticWiper and is substantially less sophisticated,\r\neven as it sets out to enumerate all the physical and logical drives before proceeding to carry out its file wiping\r\noperations.\r\n\"On February 25, 2022, attackers dropped a new version of IsaacWiper with debug logs,\" the researchers said.\r\n\"This may indicate that the attackers were unable to wipe some of the targeted machines and added log messages\r\nto understand what was happening.\"\r\nUpdate: Microsoft, which is tracking HermeticWiper under the name FoxBlade (and HermeticRansom as\r\nSonicVote), said the \"intended objective of these attacks is the disruption, degradation, and destruction of targeted\r\nresources\" in Ukraine.\r\nThe infections impacted \"hundreds of systems spanning multiple government, information technology, financial\r\nsector, and energy organizations predominantly located in or with a nexus to Ukraine,\" it noted.\r\nhttps://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html\r\nPage 2 of 3\n\nThe tech giant's Threat Intelligence Center (MSTIC) has attributed the attacks to an emerging threat cluster\r\ndesignated as DEV-0665, pointing out its lack of affiliation to a previously known threat activity group. It's worth\r\nnoting here that the actor responsible for the WhisperGate wiper attacks in January is known as DEV-0586.\r\nAssigning IsaacWiper-related intrusions the moniker Lasainraw, Microsoft also characterized them as a \"limited\r\ndestructive malware attack,\" adding it's \"continuing to investigate this incident and has not currently linked it to\r\nknown threat activity.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html\r\nhttps://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html" ], "report_names": [ "second-new-isaacwiper-data-wiper.html" ], "threat_actors": [ { "id": "96476518-d729-4ce6-835d-c8843c746eea", "created_at": "2024-02-02T02:00:04.039304Z", "updated_at": "2026-04-10T02:00:03.536508Z", "deleted_at": null, "main_name": "Sunglow Blizzard", "aliases": [ "DEV-0665" ], "source_name": "MISPGALAXY:Sunglow Blizzard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433974, "ts_updated_at": 1775792126, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/06ad22c0cd67c62f1db106a602630e37fac1ddff.pdf", "text": "https://archive.orkl.eu/06ad22c0cd67c62f1db106a602630e37fac1ddff.txt", "img": "https://archive.orkl.eu/06ad22c0cd67c62f1db106a602630e37fac1ddff.jpg" } }