{ "id": "fc20ac30-1ad4-4f11-b781-cb6dba17a7f5", "created_at": "2026-04-06T01:31:20.146067Z", "updated_at": "2026-04-10T03:21:03.045198Z", "deleted_at": null, "sha1_hash": "2c87d51ee8fdc40bb411355f8e32465f16abeda3", "title": "CaddyWiper, a new data wiper hits Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 94727, "plain_text": "CaddyWiper, a new data wiper hits Ukraine\r\nBy Pierluigi Paganini\r\nPublished: 2022-03-15 · Archived: 2026-04-06 00:10:49 UTC\r\nExperts discovered a new wiper, tracked as CaddyWiper, that was employed in\r\nattacks targeting Ukrainian organizations.\r\nExperts at ESET Research Labs discovered a new data wiper, dubbed CaddyWiper, that was employed in attacks\r\ntargeting Ukrainian organizations.\r\nThe security firm has announced the discovery of the malware with a series of tweets:\r\n“This new malware erases user data and partition information from attached drives,” ESET Research\r\nLabs reported. “ESET telemetry shows that it was seen on a few dozen systems in a limited number of\r\norganizations.”\r\nCaddyWiper is the third wiper observed by ESET in attacks against Ukraine after HermeticWiper and IsaacWiper,\r\nexperts pointed out that it does not share any significant code similarity with them.\r\nSimilar to HermeticWiper deployments, CaddyWiper being deployed via GPO, a circumstance that suggests the\r\nattackers had initially compromised the target’s Active Directory server.\r\nhttps://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html\r\nPage 1 of 2\n\nIn order to maintain access to the target organization while still disturbing operations, the CaddyWiper avoids\r\ndestroying data on domain controllers. CaddyWiper uses the DsRoleGetPrimaryDomainInformation() function to\r\ndetermine if a device is a domain controller.\r\nThe CaddyWiper sample analyzed by ESET was not digitally signed, the malware was compiled.\r\nMicrosoft researchers also observed another wiper that was employed in attacks against Ukraine, it was tracked as\r\nWhisperGate.\r\nIn Mid-February, the Security Service of Ukraine (SSU) today revealed the country was the target of an ongoing\r\n“wave of hybrid warfare” conducted by Russia-linked malicious actors. Threat actors aim at destabilizing the\r\nsocial contest in the country and instilling fear and untrust in the country’s government. Data wiper usage was part\r\nof this hybrid warfare strategy.\r\nFollow me on Twitter: @securityaffairs and Facebook\r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, CaddyWiper)\r\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nSource: https://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html\r\nhttps://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html" ], "report_names": [ "caddywiper-wiper-hits-ukraine.html" ], "threat_actors": [], "ts_created_at": 1775439080, "ts_updated_at": 1775791263, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2c87d51ee8fdc40bb411355f8e32465f16abeda3.pdf", "text": "https://archive.orkl.eu/2c87d51ee8fdc40bb411355f8e32465f16abeda3.txt", "img": "https://archive.orkl.eu/2c87d51ee8fdc40bb411355f8e32465f16abeda3.jpg" } }