# SwiftSlicer: New destructive wiper malware strikes Ukraine **[welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/](https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/)** January 27, 2023 Sandworm continues to conduct attacks against carefully chosen targets in the war-torn country [Editor](https://www.welivesecurity.com/author/editorla/) 27 Jan 2023 - 06:45PM ----- Sandworm continues to conduct attacks against carefully chosen targets in the war-torn country ESET researchers have uncovered a new wiper attack in Ukraine that they attribute to the [Sandworm APT group.](https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/) Dubbed SwiftSlicer, the destructive malware was spotted on the network of a targeted organization on January 25 . It was deployed through Group Policy, which suggests thatth the attackers had taken control of the victim’s Active Directory environment. Some of the wipers spotted by ESET in Ukraine early into Russia’s invasion – [HermeticWiper and](https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/) [CaddyWiper – were in some instances also planted in the same](https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/) [fashion. The latter was last spotted on the network of Ukraine’s news agency Ukrinform just](https://www.bleepingcomputer.com/news/security/ukraine-links-data-wiping-attack-on-news-agency-to-russian-hackers/) days ago. [#BREAKING On January 25th #ESETResearch discovered a new cyberattack in 🇺🇦](https://twitter.com/hashtag/BREAKING?src=hash&ref_src=twsrc%5Etfw) [Ukraine. Attackers deployed a new wiper we named #SwiftSlicer using Active](https://twitter.com/hashtag/SwiftSlicer?src=hash&ref_src=twsrc%5Etfw) Directory Group Policy. The [#SwiftSlicer wiper is written in Go programing language.](https://twitter.com/hashtag/SwiftSlicer?src=hash&ref_src=twsrc%5Etfw) We attribute this attack to [#Sandworm. 1/3](https://twitter.com/hashtag/Sandworm?src=hash&ref_src=twsrc%5Etfw) [pic.twitter.com/pMij9lpU5J](https://t.co/pMij9lpU5J) [— ESET Research (@ESETresearch) January 27, 2023](https://twitter.com/ESETresearch/status/1618960022150729728?ref_src=twsrc%5Etfw) [SwiftSlicer is detected by ESET products as WinGo/KillFiles.C. The malware was written in](https://www.virustotal.com/gui/file/1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690) Go, a highly versatile, cross-platform programming language. When it comes to SwiftSlicer’s method of destruction, ESET researchers had this to say: “Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other nonsystem drives and then reboots computer. For overwriting it uses 4096 bytes length block filled with randomly generated byte”. [Two months ago, ESET detected a wave of RansomBoggs ransomware attacks in the war-](https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine/) torn country that were also linked to Sandworm. The campaigns were just one of the latest additions to the long résumé of damaging attacks that the group has conducted against Ukraine over the past near-decade. Sandworm’s track record also includes a string of attacks – [BlackEnergy,](https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/) [GreyEnergy and the first iteration of](https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/) [Industroyer – that targeted](https://www.welivesecurity.com/2022/06/13/industroyer-cyber-weapon-brought-down-power-grid/) [energy providers. An Industroyer2 attack was thwarted with help from ESET researchers in](https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/) April of last year. _To learn more about Sandworm’s campaigns in Ukraine in recent months, head over_ _to_ _[ESET APT Activity Report T3 2022](https://www.welivesecurity.com/2023/01/31/eset-apt-activity-report-t3-2022/)_ 27 Jan 2023 - 06:45PM ----- ## Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center Newsletter Discussion -----