{
	"id": "5380967d-9fb1-492e-9492-94879f78463c",
	"created_at": "2026-04-06T00:06:21.277116Z",
	"updated_at": "2026-04-10T03:30:30.650612Z",
	"deleted_at": null,
	"sha1_hash": "10740a9c6c3fdd76d03c028e1bba1fef71512c76",
	"title": "New CaddyWiper data wiping malware hits Ukrainian networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2592211,
	"plain_text": "New CaddyWiper data wiping malware hits Ukrainian networks\r\nBy Sergiu Gatlan\r\nPublished: 2022-03-14 · Archived: 2026-04-05 13:58:41 UTC\r\nNewly discovered data-destroying malware was observed earlier today in attacks targeting Ukrainian organizations and\r\ndeleting data across systems on compromised networks.\r\n\"This new malware erases user data and partition information from attached drives,\" ESET Research Labs explained.\r\n\"ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations.\"\r\nhttps://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nWhile designed to wipe data across Windows domains it's deployed on, CaddyWiper will use the\r\nDsRoleGetPrimaryDomainInformation() function to check if a device is a domain controller. If so, the data on the domain\r\ncontroller will not be deleted.\r\nThis is likely a tactic used by the attackers to maintain access inside the compromised networks of organizations they hit\r\nwhile still heavily disturbing operations by wiping other critical devices.\r\nWhile analyzing the PE header of a malware sample discovered on the network of an undisclosed Ukrainian organization, it\r\nwas also discovered that the malware was deployed in attacks the same day it was compiled.\r\n\"CaddyWiper does not share any significant code similarity with HermeticWiper, IsaacWiper, or any other malware known\r\nto us. The sample we analyzed was not digitally signed,\" ESET added.\r\n\"Similarly to HermeticWiper deployments, we observed CaddyWiper being deployed via GPO, indicating the attackers had\r\nprior control of the target's network beforehand.\"\r\nCadddyWiper compilation date (ESET)\r\nFourth data wiper deployed in Ukraine this year\r\nCaddyWiper is the fourth data wiper malware deployed in attacks in Ukraine since the start of 2022, with ESET Research\r\nLabs analysts previously discovering two others and Microsoft a third.\r\nOne day before the Russian invasion of Ukraine started, on February 23rd, ESET researchers spotted a data-wiping malware\r\nnow known as HermeticWiper, used to target Ukraine together with ransomware decoys.\r\nThey also discovered a data wiper they dubbed IsaacWiper and a new worm named HermeticWizard the attackers used to\r\ndrop HermeticWiper wiper payloads, deployed the day Russia invaded Ukraine.\r\nMicrosoft also found a wiper now tracked as WhisperGate, used in data-wiping attacks against Ukraine in mid-January,\r\ndisguised as ransomware.\r\nAs Microsoft President and Vice-Chair Brad Smith said, these ongoing attacks with destructive malware against Ukrainian\r\norganizations \"have been precisely targeted.\"\r\nThis contrasts with the indiscriminate NotPetya worldwide malware assault that hit Ukraine and other countries in 2017, an\r\nattack later linked to Sandworm, a Russian GRU Main Intelligence Directorate hacking group.\r\nSuch destructive attacks are part of a \"massive wave of hybrid warfare,\" as the Ukrainian Security Service (SSU) described\r\nthem right before the war started.\r\nhttps://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/\r\nhttps://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/"
	],
	"report_names": [
		"new-caddywiper-data-wiping-malware-hits-ukrainian-networks"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433981,
	"ts_updated_at": 1775791830,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/10740a9c6c3fdd76d03c028e1bba1fef71512c76.pdf",
		"text": "https://archive.orkl.eu/10740a9c6c3fdd76d03c028e1bba1fef71512c76.txt",
		"img": "https://archive.orkl.eu/10740a9c6c3fdd76d03c028e1bba1fef71512c76.jpg"
	}
}