{ "id": "bf272245-5a99-466f-b0d7-efa493469452", "created_at": "2026-04-06T01:28:51.373288Z", "updated_at": "2026-04-10T03:38:20.491943Z", "deleted_at": null, "sha1_hash": "1c873c59e0bdb9d92d2ab7f8381ee7e9ef6a8d4f", "title": "An Overview of the Increasing Wiper Malware Threat | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 104764, "plain_text": "An Overview of the Increasing Wiper Malware Threat |\r\nFortiGuard Labs\r\nBy Geri Revay\r\nPublished: 2022-04-28 · Archived: 2026-04-06 00:32:06 UTC\r\nIn parallel with the war in Ukraine, cybersecurity researchers have witnessed a sudden increase in the number of\r\nwiper malware deployments. Although these haven't been officially attributed to Russian state-sponsored threat\r\nactors, their goals align with the Russian military's. It is widely theorized that these cyberattacks are intentionally\r\nbeing launched in concert with the invasion.\r\nWith wiper malware in the spotlight, we at FortiGuard Labs wanted to provide more information on this threat to\r\nhelp organizations understand it and implement better protections against them. In this blog, the following topics\r\nwill be discussed:\r\nWhat is a wiper malware?\r\nThe motivation for threat actors to use them\r\nInteresting properties that can influence the effectiveness of the malware\r\nWiper techniques under the hood\r\nProtections provided by Fortinet\r\nWhat is Wiper Malware?\r\nThe wiper term in wiper malware comes from its most basic function, when the objective of the malware is to\r\nwipe (erase) the hard disk of the victim machine. More generically, wiper malware can be defined as malicious\r\nsoftware that tries to destroy data. As we will see in the following sections, there are different ways to accomplish\r\nthis.\r\nHistory of Wiper Malware\r\nBelow is a short history of notable wiper malware (also shown in Figure 1):\r\nShamoon, 2012: Used to attack Saudi Aramco and Qatar's RasGas oil companies.\r\nDark Seoul, 2013: Attacked South Korean media and financial companies.\r\nShamoon, 2016: Returned to again attack Saud Arabian organizations.\r\nNotPetya, 2017: Originally targeted Ukrainian organizations, but due to its self-propagation capability, it\r\nbecame the most devastating malware to date.\r\nOlympic Destroyer, 2018: Attack targeted against the Winter Olympics in South Korea.\r\nOrdinypt/GermanWiper, 2019: Targeted German organizations with phishing emails in German.\r\nDustman, 2019: Iranian state-sponsored threat actors attacked Bapco, Bahrain's national oil company.\r\nZeroCleare, 2020: Attacked energy companies in the Middle East.\r\nWhisperKill, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.\r\nhttps://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat\r\nPage 1 of 12\n\nWhisperGate, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.\r\nHermeticWiper, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.\r\nIsaacWiper, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.\r\nCaddyWiper, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.\r\nDoupleZero, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.\r\nAcidRain, 2022: Attacked Viasat's KA-SAT satellite service provider.\r\nMotivations Behind Deploying Wiper Malware\r\nIn this section, we will look at the different motivations behind deploying a wiper malware. While its goals are\r\nstraightforward, that does not mean that the motivation is always the same. We distinguish between the following\r\nfour potential motivators: financial gain, destruction of evidence, sabotage, and cyberwar.\r\nFinancial Gain\r\nIn general, financial gain is the least significant motivator for wiper malware. This is understandable because it is\r\nhard to monetize destruction. However, one aspect we wanted to point out here is the fake ransomware variant that\r\npretends to encrypt data and ask for a ransom, but without the capability to recover data. This could be called a\r\nransomware scam because the ransomware concept is fraudulent. Threat actors employing such techniques are\r\nsimply looking to make a quick buck without investing in developing an actual ransomware tool or in the\r\nadministration work behind an actual ransomware operation. Of course, such an enterprise is short-lived because\r\nonce it gets out that it is not possible to recover data, nobody will pay the ransom.\r\nA good example is the Ordinypt or GermanWiper, which was active in 2017. As ransomware does, it altered\r\nfiles and added a random 5-character extension to them. It also destroyed recovery options, such as the Windows\r\nshadow copy. And it changed the desktop background to display a ransom note with a Bitcoin address where the\r\nransom payment was expected to be sent. However, it did not really encrypt files. Instead, it filled them with zero\r\nbytes and truncated them. With this approach, there was no way to recover any affected files.  \r\nDestruction of Evidence\r\nThis is a hard-to-prove motivator, but sometimes when there is no other reason to deploy a wiper in an attack, it\r\nmay be concluded that the real reason was something else, such as espionage. The wiper is only deployed after the\r\ntrue goal of the attack is achieved. Instead of meticulously erasing their tracks and all evidence of their attack, the\r\nattackers simply deploy a wiper malware in the organization. This not only erases the evidence, but the scale of\r\nthe destruction causes the defenders to focus on the recovery of data and operations and not on investigating the\r\nintrusion.\r\nSabotage\r\nSabotage is the most obvious reason to deploy a wiper. Just as the Stuxnet malware was used to destroy\r\ncentrifuges to slow down Iran's efforts to develop nuclear weapons, wiper malware could be used to destroy data,\r\nsabotage development, cause financial loss, or just cause chaos.\r\nhttps://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat\r\nPage 2 of 12\n\nOne example in this category is the Shamoon malware, used to attack Saudi Aramco and other oil companies. The\r\nattack destroyed 30,000 workstations at Saudi Aramco. At such a scale, even replacing these computers becomes a\r\nlogistical nightmare. The attack was also scheduled for a time when a holiday had just started to maximize its\r\nimpact by counting on the limited staff available to respond to the attack.\r\nCyberwar\r\nA few months ago, it would not have been as straightforward to include this motivation in the list. But at the time\r\nof this post, seven different wiper malware attacks (WhisperKill, WhisperGate, HermeticWiper,  IsaacWiper,\r\nCaddyWiper,  DoubleZero, AcidRain) have been discovered targeting Ukrainian infrastructure or Ukrainian\r\ncompanies—all clearly in line with Russia's interest in the Ukraine-Russia war. Generally, wiper operations in this\r\ncategory attack targets whose destruction is in the interest of the opposing military. For example, the motivation\r\nbehind such an attack might be to cripple critical infrastructure. This could be done to either cause chaos and\r\nincrease mental stress on the enemy or to cause destruction at a tactical target. Wiper attacks can also have a\r\ndevastating effect against OT and critical infrastructure targets, which has its value in a war.\r\nAn interesting and recent example is the suspicion that the AcidRain wiper was used in an attack against the\r\nViasat KA-SAT satellite broadband service provider. The attacker gained access to the management infrastructure\r\nof the provider to deploy AcidRain on KA-SAT modems used in Ukraine. The attack also rendered 5,800 wind\r\nturbines inaccessible in Germany.\r\nInteresting Properties\r\nAlthough the general objective of wiper malware is quite simple, some have interesting properties worth\r\ndiscussing.\r\nFake Ransomware\r\nAs discussed, many wiper malware samples pretend to be ransomware. This means they leverage many of the\r\ntypical Tactics, Techniques, and Procedures (TTP) that actual ransomware uses, but they do this without the\r\npossibility of recovering the files. In theory, standard ransomware can also be used as a wiper if the decryption\r\nkey is never provided to the victim. In that case, the encrypted files are practically lost. However, after detailed\r\nanalysis, it is apparent in many cases that the ransomware functionality is just a ruse, and in reality, the malware is\r\na wiper. There could be a couple of reasons to do this:\r\nAs seen previously with Ordinypt, a sample can follow the ransomware business model without the\r\nintention to recover files.\r\nIt can be used to mislead the incident response team and, with that, slow down countermeasures.\r\nHide the motivation behind an attack. Ransomware would suggest cybercrime, which could be a way to\r\nhide that the real motivation is sabotage or cyberwar.\r\nAn excellent example of the latter is the infamous NotPetya malware from 2017. It was the most devastating\r\nmalware so far. It started with a supply chain attack against Ukrainian companies through updates from a small\r\nUkrainian accounting software company. However, it did not stop there. Since NotPetya was a worm, it also\r\nexploited vulnerabilities in other software to propagate. This was so efficient that it quickly became a global\r\nhttps://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat\r\nPage 3 of 12\n\nproblem, crippling networks without discrimination. It went to great lengths to imitate ransomware, such as\r\nencrypting files, providing a Bitcoin address for payment, and delivering a ransom note. However, in reality, it\r\nwas a wiper that just destroyed data. It was attributed to the Sandworm actors, who are associated with the Main\r\nDirectorate of the General Staff of the Armed Forces of the Russian Federation, often referred to as GRU.\r\nSelf-Propagation\r\nAs with NotPetya, we can see that a significant property of wipers is whether or not they are self-propagating. If it\r\nis a worm, such as NotPetya, it will self-propagate to other machines once it is let loose. It is not necessarily\r\npossible to control them any longer in such a case.\r\nThere are a couple of ways malware can self-propagate:\r\nBy exploiting vulnerabilities in-network services.\r\nGathering credentials on infected machines and using them to connect to other machines in the network.\r\nUsing legitimate ways to move from one device to another, such as update processes.\r\nThis does not mean, of course, that non-self-propagating malware cannot be devastating. If the domain controller\r\nis compromised in a network, it can be used to deploy the wiper on all machines in the organization. The main\r\ndifference is that self-propagating malware cannot be controlled once it has been unleashed.\r\nWiper Malware Techniques\r\nNow let's roll up our sleeves and get our hands dirty by looking under the hood of wiper malware to understand\r\nthe techniques they use to destroy the victim's data.\r\nOverwriting Files\r\nThe most trivial approach for wipers is to simply enumerate the filesystem and overwrite the selected files with\r\ndata. We discussed earlier that Ordinypt used this approach, overwriting files with zero (0x00) bytes.\r\nAnother good example is the WhisperGate wiper deployed against Ukrainian organizations earlier this year. It\r\nhad various stages and components, but the second stage (stage2.exe) downloaded the file corrupter component\r\nfrom a hardcoded Discord channel. This component goes through specific folders looking for files with file\r\nextensions hardcoded in the malware. These files are different data files. The malware replaces the content of the\r\nfiles with 1 MB of 0xCC bytes and adds a 4-character long random extension. It is worth noting that WhisperGate\r\nalso pretended to be ransomware, even though it corrupts files beyond repair.\r\nEncrypting Files\r\nAs mentioned earlier, encrypting a file and destroying the key is essentially equivalent to destroying the file. Of\r\ncourse, a brute-force attempt could be made to recover the file, but if proper encryption algorithms are used, this\r\napproach is quite hopeless. However, encryption rather than simply overwriting is very resource-intensive and\r\nslows down the malware. The only use case for implementing encryption in a wiper is when the authors want to\r\nkeep up the appearance of being ransomware for as long as possible. This was the case with NotPetya, which did\r\nencrypt files properly.\r\nhttps://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat\r\nPage 4 of 12\n\nOverwriting MBR\r\nMany wipers also make sure to overwrite the Master Boot Record (MBR) of the disk. This part of a disk tells the\r\ncomputer how to boot the operating system. If the MBR is destroyed, the computer won't start. However, this does\r\nnot mean that the data on the hard disk has been destroyed. If only the MBR is corrupted, the data can still be\r\nrecovered. By itself, it can only be used to cause chaos and confusion, but no actual data loss. That is why it is\r\nusually used together with other techniques.\r\nFor instance, the ZeroCleare malware used against energy companies in the Middle East in 2019 also used this\r\ntechnique. It used the third-party driver management tool EldoS RawDisk (more on that later) to directly access\r\nhard drives bypassing the protection mechanisms of the operating system (OS). Instead of overwriting files on the\r\nOS level, ZeroCleare overwrites the disks directly with 0x55 bytes. This, of course, starts with the MBR and\r\ncontinues with all partitions. A very clever technique we should mention when talking about ZeroCleare is that it\r\nbypassed the Windows Driver Signature Enforcement(DSG), which protects Windows from loading unsigned\r\ndrivers (RawDisk driver). To do that, it first loaded a publicly available known vulnerable signed driver of\r\nVirtualBox. It then exploited the vulnerability in this legitimate driver to load RawDisk's unsigned driver. Once\r\nthat happened, it had direct access to the disks in the machine.\r\nOverwriting MFT\r\nMFT stands for Master File Table, and it exists on every NTFS filesystem. This is basically a catalog of all the\r\nfiles that exist on the filesystem, their metadata, and either the file content or the location where the file content is\r\nstored. If the MFT is corrupted, the operating system won't be able to find the files. This is a very easy and fast\r\nway for wiper malware to make files disappear. The one drawback is similar to corrupting the MBR: the file\r\ncontent is not necessarily destroyed. While the few files stored directly in the MFT would be erased, most of the\r\nfiles are stored somewhere else on the disk, and the MFT only provides their location to the OS. Without the MFT,\r\nthe OS won't be able to find the content, but the content is still there on the disk.\r\nA fascinating example is NotPetya again. It overwrote the MBR of the target machine with a custom boot loader\r\nand stored a custom low-level code that this boot loader called. This code encrypted the MFT when the first restart\r\nhappened after the infection. Once the MFT was encrypted, it forced the machine to restart. After that second\r\nrestart, the device would no longer boot but only display the ransom note (Figure 2).\r\nUsing IOCTL\r\nIOCTL is the device input and output control interface in Windows. The DeviceIoControl() function is a general-purpose interface used to send control codes to devices. The control codes are essentially operations to be\r\nexecuted by the device driver. Malware uses this interface to collect information about the disks targeted for the\r\nactual wiping.\r\nIn the case of HermeticWiper, IOCTLs were used for the following purposes:\r\nDrive fragmentation (as opposed to defragmentation): spreading files around the drive makes a recovery\r\nmore difficult. To achieve this, the FSCTL_GET_RETRIEVAL_POINTERS and\r\nFSCTL_GET_MOVE_FILES IOCTL codes are used.\r\nhttps://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat\r\nPage 5 of 12\n\nParsing the drive's contents to identify the parts to be destroyed: To do this, the\r\nIOCTL_DISK_GET_DRIVE_LAYOUT_EX and IOCTL_DISK_GET_DRIVE_GEOMETRY_EX codes\r\nare used.\r\nCollecting occupied clusters to stage them for erasing: This is a performance improvement to ignore\r\nclusters not in use. For this, the FSCTL_GET_VOLUME_BITMAP and\r\nFSCTL_GET_VOLUME_BITMAP IOCTLs codes are used.\r\nAnd finally, the FSCTL_GET_NTFS_FILE_RECORD code is used to load a record from an NTFS\r\nfilesystem.\r\nOnce HermeticWiper collects all the data it wants to erase to maximize the impact of the wiping, it uses the\r\nEaseUS Partition Master driver to overwrite the selected parts of the disk with random data.\r\nThird-party tooling\r\nIt was previously mentioned that malware sometimes uses third-party tools to overwrite data. They usually use the\r\nWindows driver of off-the-shelf products to bypass the protection mechanisms of Windows and manipulate the\r\ndisks directly. The primary reason for using third-party drivers is probably that poorly implemented drivers can\r\neasily crash the whole system, which would lead to investigation and detection. Attackers likely don't want to\r\ninvest time into writing their own drivers. Another reason might be that only signed drivers are allowed to be\r\nloaded on modern Windows systems, so if they wrote their own driver, they would need to bypass this security\r\nmechanism. This is, of course, not impossible, as we saw with ZeroCleare, which first loads a signed but\r\nvulnerable driver and then exploits that vulnerability to load the unsigned driver.\r\nThe two most widely-used examples of third-party tools used are:\r\nEldoS RawDisk, used by the Shamoon and ZeroCleare wipers and the Lazarus Group in their infamous\r\nSony Hack.\r\nEaseUS Partition Master used by HermeticWiper\r\nAll of the Above\r\nAs shown in the examples above, most wipers are not using just one technique but a combination. Wipers employ\r\nvarying complexity in trying to reach their goals. The more complex the malware is, the more techniques it needs\r\nto use. And, of course, the more techniques are used, the lower the probability that the data can be recovered.\r\nFortinet Telemetry\r\nFigure 3 shows Fortinet Anti-Virus (AV) detection numbers since January 2022 of various wiper malware\r\nsignatures. We can see that there was a significant increase. It is also interesting to see that there is still a lot of\r\nNotPetya detection, which can be explained by the fact that it is a worm so as long as there are vulnerable\r\nmachines out there NotPetya will keep self-propagating. We can also see how the war specific new wipers\r\nappeared in March and increased the numbers significantly.\r\nRecommendations to Minimize the Impact of Wiper Malware\r\nhttps://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat\r\nPage 6 of 12\n\nThere are several best practices organizations are urged to implement to minimize the impact of wiper malware:\r\nBackup: The most helpful countermeasure for ransomware and wiper malware is to have backups\r\navailable. Malware often actively searches for backups on the machine (such as Windows Shadow Copy)\r\nor on the network to destroy. Therefore, backups must be stored off-site and off-line to survive\r\nsophisticated attacks. And when we talk about backups, it is important to mention that the existence of\r\nbackups is essential, but a detailed recovery process also exists. And that the IT team regularly exercises\r\nrecovery from backup to minimize downtime.\r\nSegmentation: Proper network segmentation can be useful on multiple levels. For example, it can limit the\r\nimpact of an attack to one segment of the network. In addition, firewalls used in combination with anti-virus and intrusion prevention systems, such as FortiGate, FortiGuard IPS, and FortiGuard Content\r\nSecurity, can detect the propagation of malware on the network, communications to known command and\r\ncontrol servers, and malicious files as they are moved through the network.\r\nDisaster recovery plan: Once a wiper is deployed in the network, the question is how well is the\r\norganization prepared for such a situation. What processes have been defined for business continuity\r\nwithout IT? How will restoration from backups be done and how will the organization communicate the\r\nincident to customers and the media? These are all questions that should be settled before an attack. All this\r\nand more should be defined in a disaster recovery plan, which will be invaluable under the extreme stress\r\nof an active compromise.\r\nIncident Response: The speed and the quality of incident response are crucial, and the outcome of the\r\nattack can highly depend on it. In a scenario where a compromise is detected before wiper malware is\r\ndeployed, the manner in which the incident response team handles and responds to the compromise could\r\nmean the difference between successfully averting data loss and complete data destruction. The FortiGuard\r\nIncident Response \u0026 Readiness Services is a trusted partner of many organizations for just this purpose.\r\nFortinet Protection\r\nFortinet products detect all malware discussed in this blog.\r\nFortinet Anti-Virus Signatures\r\nHermeticWiper:\r\nW32/KillDisk.NCV!tr\r\nW32/Agent.OJC!worm\r\nIsaacWiper:\r\nW32/KillMBR.NHQ!tr\r\nCaddyWiper:\r\nW32/CaddyWiper.NCX!tr\r\nWhisperKill:\r\nW32/KillFiles.NKU!tr.ransom\r\nWhisperGate:\r\nW32/KillMBR.NGI!tr\r\nMSIL/Agent.FP!tr.dldr\r\nhttps://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat\r\nPage 7 of 12\n\nMSIL/Agent.QWILJV!tr\r\nW32/KillFiles.NKU!tr.ransom\r\nMSIL/VVH!tr\r\nMSIL/Agent.VVH!tr\r\nShamoon:\r\nW32/DISTTRACK.C!tr\r\nW32/Generic.BQYIIWO!tr\r\nW64/DistTrack.A!tr\r\nMalware_Generic.P0\r\nDistTrack.Botnet\r\nOrdinypt:\r\nW32/Ordinypt.5873!tr.ransom\r\nOlympic Destroyer:\r\nW32/OlympicDestroyer.A!tr\r\nNotPetya:\r\nW32/Petya.EOB!tr\r\nW32/Petya.A!tr.ransom\r\nW64/Petya.BG!tr\r\nDustman:\r\nW32/Agent.F0FC!tr\r\nW64/Dustman.KH!tr\r\nW32/Distrack!tr\r\nZeroCleare:\r\nW32/Agent.XACVYS!tr\r\nW32/Distrack!tr\r\nDoubleZero:\r\nMSIL/DZeroWiper.CK!tr\r\nAcidRain:\r\nELF/AcidRain.A!tr\r\nIOCs (SHA-256 hashes of samples)\r\nShamoon:\r\n128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd\r\n394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b\r\n448ad1bc06ea26f4709159f72ed70ca199ff2176182619afa03435d38cd53237\r\n47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34\r\n61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842\r\n772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5\r\nc7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a\r\n4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6\r\n5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a\r\nhttps://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat\r\nPage 8 of 12\n\nOrdinypt\r\n085256b114079911b64f5826165f85a28a2a4ddc2ce0d935fa8545651ce5ab09\r\nOlympic Destroyer:\r\nedb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\r\n19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea\r\nab5bf79274b6583a00be203256a4eacfa30a37bc889b5493da9456e2d5885c7f\r\nf188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936\r\nae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85\r\nD934CB8D0EADB93F8A57A9B8853C5DB218D5DB78C16A35F374E413884D915016\r\nEDB1FF2521FB4BF748111F92786D260D40407A2E8463DCD24BB09F908EE13EB9\r\n3E27B6B287F0B9F7E85BFE18901D961110AE969D58B44AF15B1D75BE749022C2\r\n28858CC6E05225F7D156D1C6A21ED11188777FA0A752CB7B56038D79A88627CC\r\nNotPetya:\r\nbe2fb06b0a61f72d901ea3d650912bb12ef94896528cca6f8f9466e49c1d0721\r\n027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745\r\neae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998\r\n02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f\r\nDustman:\r\n18c92f23b646eb85d67a890296000212091f930b1fe9e92033f123be3581a90f\r\nf07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7\r\n2fc39463b6db44873c9c07724ac28b63cdd72f5863a4a7064883e3afdd141f8d\r\nZeroCleare:\r\nbecb74a8a71a324c78625aa589e77631633d0f15af1473dfe34eca06e7ec6b86\r\n2fc39463b6db44873c9c07724ac28b63cdd72f5863a4a7064883e3afdd141f8d\r\n05aae309d7a8c562b3cf364a906b3fcb764c122855c7260697d96f83fc8ccee8\r\nHermeticWiper:\r\n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da\r\n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\r\na259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec\r\n3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767\r\n06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397\r\n2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf\r\nIsaacWiper:\r\n13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033\r\nCaddyWiper:\r\na294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea\r\nb66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7\r\nhttps://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat\r\nPage 9 of 12\n\nWhisperGate:\r\na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92\r\ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78\r\nWhisperKill:\r\n34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907\r\n191ca4833351e2e82cb080a42c4848cfbc4b1f3e97250f2700eff4e97cf72019\r\n24e9b86b92918c3731fa6126c70532c79507c8041b8e6bf1e1c007aa8a9ac025\r\n6aa4081d4028116bb50315774f0d5dfd45dfb9b9f61f172cfa53bfc65eddf229\r\nDoubleZero:\r\n3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe\r\n8dd8b9bd94de1e72f0c400c5f32dcefc114cc0a5bf14b74ba6edc19fd4aeb2a5\r\n30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a\r\nd897f07ae6f42de8f35e2b05f5ef5733d7ec599d5e786d3225e66ca605a48f53\r\nAcidRain\r\n9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a\r\nATT\u0026CK TTPs\r\nID Name\r\nT1485 Data Destruction\r\nT1486 Data Encrypted for Impact\r\nT1561 Disk Wipe\r\nT1561.001 Disk Wipe: Disk Content Wipe\r\nT1561.002 Disk Wipe: Disk Structure Wipe\r\nT1495 Firmware Corruption\r\nT1529 System Shutdown/Reboot\r\nhttps://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat\r\nPage 10 of 12\n\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nT1569.002 System Services: Service Execution\r\nT1542.001 Pre-OS Boot: System Firmware\r\nT1542.002 Pre-OS Boot: Component Firmware\r\nT1542.003 Pre-OS Boot: Bootkit\r\nT1006 Direct Volume Access\r\nT1562.001 Impair Defenses: Disable or Modify Tools\r\nT1070.004 Indicator Removal on Host: File Deletion\r\nT1083 File and Directory Discovery\r\nFurther Reading\r\nShamoon - https://www.fortinet.com/blog/threat-research/research-furtive-malware-rises-again\r\nOlympic Destroyer - https://blog.talosintelligence.com/2018/02/olympic-destroyer.html\r\nDustman - https://www.zdnet.com/article/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company/\r\nNotPetya - https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/\r\nNotPetya - https://www.fortinet.com/blog/threat-research/key-differences-between-petya-and-notpetya\r\nZeroCleare - https://www.ibm.com/downloads/cas/OAJ4VZNJ\r\nCaddyWiper - https://www.fortiguard.com/encyclopedia/virus/10082978\r\nHermeticWiper - https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/\r\nWhisperGate - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\r\nAcidRain - https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/\r\nhttps://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat\r\nPage 11 of 12\n\nDoubleZero - https://cert.gov.ua/article/38088\r\nWhisperKill - https://cert.gov.ua/article/18101\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat\r\nhttps://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat" ], "report_names": [ "the-increasing-wiper-malware-threat" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438931, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c873c59e0bdb9d92d2ab7f8381ee7e9ef6a8d4f.pdf", "text": "https://archive.orkl.eu/1c873c59e0bdb9d92d2ab7f8381ee7e9ef6a8d4f.txt", "img": "https://archive.orkl.eu/1c873c59e0bdb9d92d2ab7f8381ee7e9ef6a8d4f.jpg" } }