{
	"id": "b552399a-46c1-44b6-8be8-9be49b425473",
	"created_at": "2026-04-06T00:18:43.530512Z",
	"updated_at": "2026-04-10T03:19:58.511474Z",
	"deleted_at": null,
	"sha1_hash": "30dc20e1028f05cfaabfce7daabc3f3b02f162f5",
	"title": "New Analysis: The CaddyWiper Malware Attacking Ukraine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 541062,
	"plain_text": "New Analysis: The CaddyWiper Malware Attacking Ukraine\r\nBy Michael Dereviashkin\r\nArchived: 2026-04-05 20:03:08 UTC\r\nAs Russia’s invasion of Ukraine continues, new wiper malware has surfaced attacking Ukrainian infrastructure.\r\nCaddywiper was first detected on March 14, 2022. It destroys user data, partitions information from attached\r\ndrives, and has been spotted on several dozen systems in a limited number of organizations. CaddyWiper has been\r\ndeployed via GPO, suggesting the attackers had initially compromised the target’s Active Directory server.\r\nMorphisec Labs’ CaddyWiper analysis follows.\r\nCaddyWiper is the fourth wiper observed attacking Ukrainian targets. WhisperGate was the first wiper. It was\r\nused in attacks on Ukrainian government agencies ahead of the invasion. WhisperGate was soon followed by\r\nHermeticWiper and IsaacWiper, with CaddyWiper the third wiper deployed in as many weeks.\r\nCaddyWiper Chart\r\nThis chart details the CaddyWiper execution flow:\r\nTechnical Analysis\r\nMain Functionality\r\nhttps://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine\r\nPage 1 of 7\n\nIf the computer that CaddyWiper was executed on is not a domain controller (DC), the machine won’t be harmed.\r\nIf it is a PDC, Caddy starts wiping at “C:\\Users” in order not to break the operating system before the wiping\r\nprocess completes. It then deletes every drive letter from “D:\\” drive to “Z:\\”. If Caddy was run with administrator\r\nprivileges, it also deletes the partition of the physical hard drives to absolutely wreck the operating system.\r\nThe below text describes this flow:\r\nDynamic API Loading\r\nCaddy uses the process environment block (PEB) to resolve the required Windows application programming\r\ninterface (API). This is to evade static and dynamic scanners. As part of reputation scoring, scanners validate for\r\nan executable import directory, and dynamic monitoring is based on imported API hooking. Caddy officially\r\ndeclares only on the DsRoleGetPrimaryDomainInformation API as part of its import address table (IAT) while the\r\nrest is resolved dynamically via the PEB.\r\nThe image below displays the API resolution process through the PEB:\r\nPseudocode is available here (Password: morphisec)\r\nFile Wiping\r\nhttps://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine\r\nPage 2 of 7\n\nThe function wipepath is responsible for the actual wiping process of a file. This function can handle hidden and\r\nsystem files while additionally acquiring discretionary access control to the file in path. This is to ensure as many\r\nfiles as possible are wiped. It wipes a maximum of a 10MB chunk from the beginning of the file as part of\r\nperformance optimization.\r\nSee below the wipepath function:\r\nDiscretionary Access Control\r\nThe wiper changes the DACL of a file object by taking ownership of that object. This only succeeds if whoever\r\nstarts the Caddy process has WRITE_DAC access to the object or is the owner of the object. If the initial attempt\r\nto change the DACL fails, the code enables the privilege of ‘SeTakeOwnershipPrivilege.’ It then makes the local\r\nsystem’s administrators group the owner of the object. The code used in Caddy is similar to the example that\r\nMSDN provides.\r\nhttps://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine\r\nPage 3 of 7\n\nPartition Wiping\r\nThe IOCTL (‘IOCTL_DISK_SET_DRIVE_LAYOUT_EX ‘) passed in DeviceIoControl is generally used for disk\r\nrepartition according to the specified drive layout and partition information data. However, in our case, it just\r\nwipes 0x780 bytes from the physical drive while it iterates from “\\\\.\\PHYSICALDRIVE9” and goes until\r\n“\\\\.\\PHYSICALDRIVE0”. However, it can only be done if Caddy is executed with administrator privileges.\r\nThe Impact\r\nCaddyWiper can be executed with or without administrator privilege. In both cases it causes lethal damage to the\r\ntarget machine. CaddyWiper execution without administrator privileges makes files worthless, as seen below:\r\nhttps://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine\r\nPage 4 of 7\n\nAnd when CaddyWiper starts with administrator privileges, it makes the operating system useless as well:\r\nCaddyWiper Analysis\r\nCaddy is a sophisticated wiper that can transform any machine it’s deployed against into a very expensive door\r\nstopper. Unfortunately, traditional endpoint security solutions have a hard time preventing sophisticated attacks\r\nsuch as CaddyWiper. Due to its evasive, polymorphic nature, CaddyWiper hides its functionality from runtime\r\nmonitoring and pattern matching. Though the impact is visible, response time is irrelevant when it gets to wipers\r\nor ransomware.\r\nhttps://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine\r\nPage 5 of 7\n\nReactive and static antivirus (AV) and endpoint detection and response (EDR) solutions need augmentation to\r\nprevent APTs and lower the risk of breaches, lawsuits, fines, and brand damage. Morphisec provides this\r\nadditional defense layer and virtual patching with Moving Target Defense (MTD) technology. MTD creates a\r\ndynamic attack surface threat actors can’t penetrate, causing them to abort attacks. To learn more about Moving\r\nTarget Defense, read the white paper: Zero Trust + Moving Target Defense: Stopping Ransomware, Zero-Day, and\r\nOther Advanced Threats Where NGAV and EDR Are Failing.\r\nIndicators of Compromise (IOCs)\r\na294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea\r\n1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176\r\nea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72\r\nF1e8844dbfc812d39f369e7670545a29efef6764d673038b1c3edd11561d6902\r\nB66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7\r\n9d83817f7cae01554f77680ed7e6698966bcf020915c0dc411e5d57f6eea6ed4\r\n5cc51f29c6074d9741d6e68bcf9ce8363d623437ea11506a36791b4763cefdc7\r\nAbout the author\r\nhttps://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine\r\nPage 6 of 7\n\nMichael Dereviashkin\r\nSource: https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine\r\nhttps://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine"
	],
	"report_names": [
		"caddywiper-analysis-new-malware-attacking-ukraine"
	],
	"threat_actors": [],
	"ts_created_at": 1775434723,
	"ts_updated_at": 1775791198,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/30dc20e1028f05cfaabfce7daabc3f3b02f162f5.pdf",
		"text": "https://archive.orkl.eu/30dc20e1028f05cfaabfce7daabc3f3b02f162f5.txt",
		"img": "https://archive.orkl.eu/30dc20e1028f05cfaabfce7daabc3f3b02f162f5.jpg"
	}
}