{
	"id": "37e8fcc5-bfbd-4ff6-b7b9-08140a04f7bc",
	"created_at": "2026-04-06T00:08:34.957223Z",
	"updated_at": "2026-04-10T03:21:11.279162Z",
	"deleted_at": null,
	"sha1_hash": "178da0387a71775c74cebf0bc923952bce320af0",
	"title": "Threat Advisory: HermeticWiper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 420036,
	"plain_text": "Threat Advisory: HermeticWiper\r\nBy Cisco Talos\r\nPublished: 2022-02-24 · Archived: 2026-04-05 18:04:07 UTC\r\nThursday, February 24, 2022 15:00\r\nThis post is also available in:\r\n日本語 (Japanese)\r\nУкраїнська (Ukrainian)\r\nUpdate: March 1, 2022\r\nCisco Talos is aware of reporting related to additional components discovered to be associated with ongoing\r\nHermeticWiper attacks. These additional components include:\r\nHermeticWizard, which allows HermeticWiper to be propagated to and deployed on additional systems\r\nwithin affected environments. It performs network scanning activities to take an inventory of the\r\nenvironment and propagates the HermeticWiper malware to additional systems via SMB or WMI.\r\nIsaacWiper, an additional wiper responsible for the destruction of systems and data.\r\nHermeticRansom, a ransomware family that has been observed being deployed at the same time as\r\nHermeticWiper, possibly as a diversionary tactic.\r\nAnalysis is currently ongoing to confirm the details included in these reports.\r\nUpdate: Feb. 26, 2022\r\nAdditional details added to the embedded resources section, specifically around driver usage.\r\nUpdate: Feb. 25, 2022\r\nDuring the additional investigation, Cisco Talos has found that, in some cases, along with HermeticWiper, the\r\nadversaries also dropped a legitimate copy of the sysinternals tool sdelete. We are still investigating its potential\r\nusage as a failsafe or some other unused mechanism in the attack. We will update as further information becomes\r\navailable. This hash has been added to the IOC section for reference, along with several others associated with\r\nHermeticWiper.\r\nCisco Talos is aware of a second wave of wiper attacks ongoing inside Ukraine, leveraging a new wiper that has\r\nbeen dubbed \"HermeticWiper.\" Deployment of the destructive malware began on Feb. 23, 2022. HermeticWiper\r\nfeatures behavioral characteristics similar to what was observed during the WhisperGate attacks that occurred in\r\nhttps://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html\r\nPage 1 of 8\n\nJanuary. The malware has two components designed for destruction: one that targets the Master Boot Record\r\n(MBR) and another targeting partitions.\r\nWiper analysis\r\nThe wiper is a relatively small executable — approximately 115KB in size — with a majority of it consisting of\r\nembedded resources. This executable is signed with a digital signature issued to \"Hermetica Digital Ltd\" valid\r\nfrom April 2021 to April 2022.\r\nDigital certificate on the wiper executables.\r\nOne of the wiper executables was compiled on Feb. 23, 2022 and saw deployment the very same day. While\r\nanother copy of the wiper was compiled as early as Dec. 28, 2021, indicating that the attackers have been working\r\non developing the wiper for several months.\r\nhttps://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html\r\nPage 2 of 8\n\nCompilation timestamp of one of the earliest known HermeticWiper samples.\r\nEmbedded Resources\r\nHermetic wiper consists of four embedded resources. These resources are compressed copies of drivers used by\r\nthe wiper.\r\nThese resources are drivers associated with the legitimate program, EaseUS Partition Master, which the malware\r\nleverages to interact with storage devices present on infected systems. The use of legitimate drivers to facilitate\r\ndirect interaction with storage devices is consistent with wiper malware previously observed over the past several\r\nyears.\r\nOne of the advantages of using a driver as opposed to traditional mechanisms is the ability to leverage\r\ninput/output controls or IOCTLs. The use of IOCTLs allows for deeper, direct access to underlying operating\r\nsystem and file system components and attributes, and is typically reserved for device drivers. Detection is\r\ncommonly built on the usage of Windows native APIs and in this particular instance allows for the wiper to\r\nconduct its destructive actions leveraging the IOCTLs provided by the EaseUS Partition Master driver, potentially\r\nevading detection and prevention of the destructive actions. For instance these techniques could defeat detections\r\nlooking for disk writes to certain sectors, including partition tables.\r\nThe IOCTLs leveraged by the wiper are:\r\nIOCTL_STORAGE_GET_DEVICE_NUMBER\r\nIOCTL_DISK_GET_DRIVE_GEOMETRY_EX\r\nIOCTL_DISK_GET_DRIVE_LAYOUT_EX\r\nIOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS\r\nFSCTL_GET_RETRIEVAL_POINTERS\r\nFSCTL_GET_VOLUME_BITMAP\r\nFSCTL_LOCK_VOLUME\r\nFSCTL_DISMOUNT_VOLUME\r\nFSCTL_MOVE_FILE\r\nFSCTL_GET_NTFS_FILE_RECORD\r\nFSCTL_GET_NTFS_VOLUME_DATA\r\nhttps://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html\r\nPage 3 of 8\n\nWiper process\r\nThe wiper process begins by assigning itself two privileges:\r\nSeShutDownPrivilege: To shut down the endpoint once it's been wiped.\r\nSeBackupPrivilege: This privilege allows for file content retrieval for files whose security descriptor does\r\nnot grant such access.\r\nDepending on the version of the Windows operating system running on the infected system, the wiper will then\r\nbegin extracting the applicable embedded driver. The driver is loaded into the wiper's process memory space,\r\ndecompressed and written to disk at \"C:\\Windows\\System32\\drivers\\\u003c4_random_characters\u003e.sys\".\r\nBefore beginning the wipe process, the wiper will also disable generation of crash dumps via\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\CrashControl | CrashDumpEnabled = 0x0\r\nDisabling crash dump generation.\r\nhttps://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html\r\nPage 4 of 8\n\nFor each physical device on the system ranging 0 to 100, the wiper starts the process of enumerating the physical\r\ndrives on the system. After identifying the physical drives, it corrupts the first 512 bytes to destroy the MBR.\r\nPhysical drive enumeration.\r\nAt this point, it turns its attention to partitions and begins enumerating the individual partitions. First, the wiper\r\ndisables the Volume Shadow Copy Service (VSS). The wiper then uses different destructive mechanisms on the\r\npartitions depending on the type: FAT or NTFS. In both cases, the partitions are corrupted, causing additional\r\ndamage. This ensures that systems with both MBR and GPT drives are affected, similar to how WhisperKill\r\noperated.\r\nThe wiper will also attempt to corrupt housekeeping files such as $LOGFILE and $BITMAP for NTFS along with\r\nstreams such as $INDEX_ALLOCATION, $DATA etc.\r\nhttps://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html\r\nPage 5 of 8\n\nThe final stage of the wiper consists of waiting for all sleeping threads to complete and initiating a reboot,\r\nensuring the wiping activity is complete.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here. For an in-depth look at Cisco Secure Endpoint and\r\nHermeticWiper see here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all\r\nCisco Secure products.\r\nhttps://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html\r\nPage 6 of 8\n\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Firepower\r\nThreat Defense (FTD), Firepower Device Manager (FDM), Threat Defense Virtual, Adaptive Security Appliance\r\n can detect malicious activity associated with this threat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nFor guidance on using Cisco Secure Analytics to respond to this threat, please click here.\r\nMeraki MX appliances can detect malicious activity associated with this threat.\r\nUmbrella, Secure Internet Gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click here and here.\r\nSnort SIDs: 59099-59100\r\nThe following ClamAV signatures available for protection against this threat:\r\nWin.RedTrixx.Wiper.tii.Hunt\r\nUmbrella SIG customers will be protected from this threat if configured to leverage IPS or Malware Analytics\r\ncapabilities.\r\nIOCs\r\nWiper EXEs\r\n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da\r\n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\r\n2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf\r\n3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767\r\nSysinternals SDelete\r\n49E0BA14923DA608ABCAE04A9A56B0689FE6F5AC6BDF0439A46CE35990AC53EE\r\nEaseUS Partition Master drivers\r\nb01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1\r\nb6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd\r\nhttps://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html\r\nPage 7 of 8\n\ne5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5\r\nfd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d\r\n8c614cf476f871274aa06153224e8f7354bf5e23e6853358591bf35a381fb75b\r\n23ef301ddba39bb00f0819d2061c9c14d17dc30f780a945920a51bc3ba0198a4\r\n96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84\r\n2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c850ded44de43bdb666d\r\nSource: https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html\r\nhttps://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"
	],
	"report_names": [
		"threat-advisory-hermeticwiper.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434114,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/178da0387a71775c74cebf0bc923952bce320af0.pdf",
		"text": "https://archive.orkl.eu/178da0387a71775c74cebf0bc923952bce320af0.txt",
		"img": "https://archive.orkl.eu/178da0387a71775c74cebf0bc923952bce320af0.jpg"
	}
}