{
	"id": "af99c60f-1dff-4ba3-abe8-e7a4499c09f4",
	"created_at": "2026-04-06T00:09:36.767782Z",
	"updated_at": "2026-04-10T03:21:32.106402Z",
	"deleted_at": null,
	"sha1_hash": "321e28ae6c06145e143ccb2f7d8be59c9b4c2352",
	"title": "Double header: IsaacWiper and CaddyWiper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 787486,
	"plain_text": "Double header: IsaacWiper and CaddyWiper\r\nBy Mark Stockley\r\nPublished: 2022-03-17 · Archived: 2026-04-05 15:00:06 UTC\r\nAs war in Ukraine rages, new destructive malware continues to be discovered. In this short blog post, we will\r\nreview IsaacWiper and CaddyWiper, two new wipers that do not have much in common based on their source\r\ncode, but with the same intent of destroying targeted Ukrainian computer systems.\r\nIsaacWiper\r\nIsaacWiper was one of the artifacts security company ESET reported to be targeting Ukraine. Other artifacts were\r\nnamed as HermeticWiper (wiper), HermeticWizard (spreader) and HermeticRansom (ransomware). IsaacWiper is\r\nfar less advanced than HermeticWiper, the first wiper that was found which we analyzed here.\r\nIsaacWiper is made of an executable, compiled with Visual Studio. The executable has imported functions like\r\nDeviceIoControl, WriteFile, MoveFile, GetDiskFreeSpaceEx, FindNextFileW. Although these functions are\r\nlegitimate, the combination of all these imports could be suspicious. Sections analysis, on other hand, is perfectly\r\nnormal. No strange segments are found, and entropy has the expected values:\r\nThe sample is presented in DLL form with just one export, named _Start@4 that contains the main functionality\r\nof the malware:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/\r\nPage 1 of 9\n\nThe malware will iterate through all system disks, overwriting the first bytes of these disks:\r\nArticle continues below this ad.\r\nThe following chunk shows an extract of the code responsible for that behavior. Also, it can be seen how the\r\nvolume is unlocked after write operations:\r\nWe have found that not only the physicalDrive but also partitions are wiped in the process. The wiper will iterate\r\nthrough the filesystem, enumerating files and overwriting them. This behavior is similar to ransomware activity,\r\nbut in this case there is no decryption key. Once the data has been overwritten, it is lost:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/\r\nPage 2 of 9\n\nThe attackers left in the code various log strings. An example of one of these debug strings, being referenced\r\ninline is presented below:\r\nIn fact, these debug strings describe pretty well the malware functionality. All debug strings are presented below:\r\nAs it can be seen, the attackers’ goal is destroying data on victims systems. Affected users will lose their files, and\r\ntheir computers will be unbootable, forcing them to reinstall the OS.\r\nCaddyWiper\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/\r\nPage 3 of 9\n\nCaddyWiper is a 3rd Wipper (after HermeticWiper and IzaakWiper) that was observed in this year’s attack on\r\nUkraine. In contrast to HermeticWiper, this one is very small, and has less complex capabilities.\r\nThe sample is not signed and its compilation date is: 14 March 2022 07:19:36 UTC. The executable is dedicated\r\nto destroying files and partition information for each available disk.\r\nThe main function of the wiper can be seen below:\r\nFirst, the wiper checks if it is running on the Primary Domain Controller. The malware will avoid trashing Domain\r\nControllers, probably because it wants to keep them alive for the purpose of propagation.\r\nIf the current machine is not a Domain Controller, the wiping starts. It recursively wipes files in the\r\nC:Users directory. Then, it iterates over available hard disks, starting from “\r\nD:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/\r\nPage 4 of 9\n\n” and wipes recursively all the files it can access.\r\nThe wiping is done in the following way:\r\nIt tries to grant access to the files before writing:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/\r\nPage 5 of 9\n\nAll the files/directories are enumerated by well-known APIs: FindFirstFileA /\r\nFindNextFileA\r\n. If the found element is a directory, the function is called recursively. And if it is a file, a new buffer filled with 0s\r\nis allocated, and the file content is overwritten with it. The buffer is limited to 10 Mb max, so if the file is bigger\r\nthan this, only the beginning of it will be wiped.\r\nInterestingly, this enumeration starts from the drive letter D (treating\r\nC\r\nas a separate case), so if there are any disks mounted as A or\r\nB\r\n, they are skipped. Finally the malware wipes layout information of the available disks/partitions:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/\r\nPage 6 of 9\n\nIt starts from the \\.PHYSICALDRIVE9 , and at each iteration decrements the partition number by one.\r\nThe wiping of the partition layout is implemented via IOCTL sent to the drive device:\r\nIOCTL_DISK_SET_DRIVE_LAYOUT_EX . The malware sets an empty buffer as the new layout.\r\nThe sample is very mildly obfuscated and most of the used strings are stack-based. Also the Import Table is very\r\nsmall, containing only one function. All the needed functions are dynamically retrieved, with the help of a custom\r\nlookup routine:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/\r\nPage 7 of 9\n\nCaddyWiper is extremely light in comparison to HermeticWiper, which was the most complex from all the wipers\r\nthat have been associated with those attacks. There is no code overlap between each of them, and most likely they\r\nhave been written by different authors.\r\nProtection\r\nMalwarebytes clients are protected against both of these wipers:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/\r\nPage 8 of 9\n\nReferences\r\n1. https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\r\n2. https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-ukraine-hit-by-destructive-attacks-before-and-during-the-russian-invasion-with-hermet/\r\nIndicators of Compromise\r\nIsaacWiper\r\n13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033\r\nCaddyWiper\r\na294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/"
	],
	"report_names": [
		"double-header-isaacwiper-and-caddywiper"
	],
	"threat_actors": [],
	"ts_created_at": 1775434176,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/321e28ae6c06145e143ccb2f7d8be59c9b4c2352.pdf",
		"text": "https://archive.orkl.eu/321e28ae6c06145e143ccb2f7d8be59c9b4c2352.txt",
		"img": "https://archive.orkl.eu/321e28ae6c06145e143ccb2f7d8be59c9b4c2352.jpg"
	}
}