{
	"id": "80592130-6c80-46d1-9dfe-0d3b4ea6fff0",
	"created_at": "2026-04-06T00:10:36.392975Z",
	"updated_at": "2026-04-10T03:30:30.782503Z",
	"deleted_at": null,
	"sha1_hash": "1ba49d11e3564e352356e2e732822fd6b909ca34",
	"title": "Researchers spot updated version of malware that hit Viasat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46570,
	"plain_text": "Researchers spot updated version of malware that hit Viasat\r\nBy AJ Vicens\r\nPublished: 2024-03-18 · Archived: 2026-04-05 20:06:16 UTC\r\nA new variant of the wiper malware used to disrupt Ukrainian military communications at the onset of the Russian\r\ninvasion emerged over the weekend, demonstrating what researchers describe as the continuing development of a\r\ntool used to carry out one of the most notable cyberattacks of the war.\r\nOn Feb. 24, 2022, the night before the Russian government launched its full-scale invasion, Russian-backed\r\nhackers targeted thousands of modems linked to Viasat, the U.S.-based satellite and internet communications\r\ncompany, and relied on by the Ukrainian military. The attack — attributed to the Russian government by the\r\nUnited States and its allies — relied on a piece of malware that researchers with SentinelLabs dubbed “AcidRain.”\r\nOn Saturday, a new variant of that malware was uploaded to VirusTotal, a malware information-sharing platform,\r\nand spotted by Tom Hegel, principal threat researcher at SentinelOne.\r\nDubbed “AcidPour” by Hegel and his colleagues, the new variant is concerning because it has new features and\r\ncould be used as part of a “larger service disruption by Russia” and wipe the contents of not just modems but a\r\nrange of other devices, Hegel told CyberScoop in an email Monday.\r\nA representative of the State Service of Special Communications and Information Protection of Ukraine told\r\nCyberScoop in an email early Tuesday that they’re aware of AcidPour and “other related malicious capabilities\r\nand its repetitive usage against targets within Ukraine.”\r\nThe agency’s Computer Emergency Response Team (CERT-UA) has been in contact with “some of the victims,”\r\nthe representative said, and the agency has attributed the activity to a unit within Russian military intelligence\r\n(GRU) tracked as UAC-0165, which itself is a sub cluster within a larger group tracked widely as Sandworm, one\r\nof the Russian military’s most potent and enduring hacking units.\r\nWiper attacks have been a go-to for Russian attacks on Ukrainian government and private-sector targets in the past\r\ntwo years, and the latest version of the software used to target Viasat shows how Russian hacking groups are\r\nevolving their tools.\r\nWhile the original version was designed to wipe modems and routers, the updated software is far more capable.\r\n“Now AcidPour is markedly different on a technical level — it has different architecture, and new features,” Hegel\r\nsaid. “This time the attacker can wipe RAID arrays and UBI – which could be used for a different level of impact,\r\nand potentially even more difficult to prevent and recover from.”\r\nRAID and UBI generally refer to a system’s memory functions, and it appears the updated malware could be used\r\nto target memory in embedded devices — components within larger systems — including IoT, networking devices\r\nand “maybe some [industrial control systems],” Juan Andres Guerrero-Saade, the associate vice president of the\r\nSentinelLabs research unit at SentinelOne, wrote on X.\r\nhttps://cyberscoop.com/viasat-malware-wiper-acidrain/\r\nPage 1 of 2\n\n“The identification of impacting RAID, and Unsorted Block Image File Systems (UBIFS) used by embedded\r\ndevices — which of course can span many types of real-world devices — is noteworthy,” Hegel explained.\r\n“Embedded devices are particularly concerning as they often serve critical needs yet lack simple detection and\r\nrecovery options if they were to be wiped.”\r\nHegel said he would expect the malware to be deployed to “many devices,” including those in data centers,\r\nnetwork-attached storage devices or others. “It should work on them all,” he said. “Big open door for what it\r\ncould be used on.”\r\nIt’s not clear where this malware has been deployed, Guerrero-Saade said, and authorities in Ukraine have been\r\nnotified.\r\nUpdated March 19, 2024: This story has been updated to include comments from the State Service of Special\r\nCommunications and Information Protection of Ukraine.\r\nSource: https://cyberscoop.com/viasat-malware-wiper-acidrain/\r\nhttps://cyberscoop.com/viasat-malware-wiper-acidrain/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://cyberscoop.com/viasat-malware-wiper-acidrain/"
	],
	"report_names": [
		"viasat-malware-wiper-acidrain"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434236,
	"ts_updated_at": 1775791830,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1ba49d11e3564e352356e2e732822fd6b909ca34.pdf",
		"text": "https://archive.orkl.eu/1ba49d11e3564e352356e2e732822fd6b909ca34.txt",
		"img": "https://archive.orkl.eu/1ba49d11e3564e352356e2e732822fd6b909ca34.jpg"
	}
}