{ "id": "8e8f2355-f045-4af4-902f-d77b0baac5c1", "created_at": "2026-04-06T00:13:23.508927Z", "updated_at": "2026-04-10T03:20:33.013466Z", "deleted_at": null, "sha1_hash": "1c316ceae2c1487d049852e214ccff07597a158d", "title": "AcidRain Wiper Malware hit Routers and Modems, Haults Communication", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3370124, "plain_text": "AcidRain Wiper Malware hit Routers and Modems, Haults\r\nCommunication\r\nBy Guru Baran\r\nPublished: 2022-04-04 · Archived: 2026-04-05 16:56:53 UTC\r\nOn March 15th, 2022, Virustotal received a suspicious upload which was a MIPS ELF file with the name ‘ukrop’.\r\nResearchers at SentinelOne suspected this as a short form of “Ukraine Operations”. But there were also other\r\nexplanations for it as it was the short form of Ukraine Association of Patriots or a Russian ethnic for Ukrainians\r\n“Укроп”.\r\nThere was a suspicion that this malware was the one used during the Viasat case. However, SentinelOne went\r\nthrough the malware and provided a full report about its functionality. Development and possible overlaps.\r\nTechnical Analysis\r\nThis malware is a Wiper that will erase all the data in a targeted system. The analysis stated that this malware uses\r\nbrute force technique which denotes that the attackers did not know about the particular firmware configurations.\r\nIf the malware is run as root, it initiates a recursive overwrite and deletion of non-standard files in the machine. \r\nhttps://cybersecuritynews.com/acidrain-wiper-malware/\r\nPage 1 of 6\n\nAfter this, it makes an attempt to delete the files present in the following device location.\r\nTargeted Device(s) Description\r\n/dev/sd* A generic block device\r\n/dev/mtdblock* Flash memory (common in routers and IoT devices)\r\n/dev/block/mtdblock* Another potential way of accessing flash memory\r\n/dev/mtd* The device file for flash memory that supports fileops\r\n/dev/mmcblk* For SD/MMC cards\r\n/dev/block/mmcblk* Another potential way of accessing SD/MMC cards\r\n/dev/loop* Virtual block devices\r\nhttps://cybersecuritynews.com/acidrain-wiper-malware/\r\nPage 2 of 6\n\nThe malware performs a sophisticated attack after this. It iterates all possible device file identifiers. If the device\r\nwas /dev/mtd* device file, the malware overwrites it with 0x40000 bytes of data. If the device was something\r\nother, it uses IOCTLS like MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB to wipe it.\r\nTo ensure the deletion was made, it uses fsync syscall. \r\nIf the overwriting takes place, the malware copies from a memory region which was a 4-byte array starting from\r\n0xffffffff and decreases at each index. \r\nhttps://cybersecuritynews.com/acidrain-wiper-malware/\r\nPage 3 of 6\n\nThe code used for wiping is given in the below image.\r\nhttps://cybersecuritynews.com/acidrain-wiper-malware/\r\nPage 4 of 6\n\nOnce all the processes of the malware are executed, it initiates a reboot of the device.\r\nAcidRain has similarities between VPNFilter but is different. They both are MIPS ELF libraries. There is also a\r\npossibility that they might be using the same compiler. \r\nA Complete Analysis, similarities, and other features of the malware were published by SentinelOne.\r\nhttps://cybersecuritynews.com/acidrain-wiper-malware/\r\nPage 5 of 6\n\nSource: https://cybersecuritynews.com/acidrain-wiper-malware/\r\nhttps://cybersecuritynews.com/acidrain-wiper-malware/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cybersecuritynews.com/acidrain-wiper-malware/" ], "report_names": [ "acidrain-wiper-malware" ], "threat_actors": [], "ts_created_at": 1775434403, "ts_updated_at": 1775791233, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c316ceae2c1487d049852e214ccff07597a158d.pdf", "text": "https://archive.orkl.eu/1c316ceae2c1487d049852e214ccff07597a158d.txt", "img": "https://archive.orkl.eu/1c316ceae2c1487d049852e214ccff07597a158d.jpg" } }