{ "id": "3fb76771-4fcb-4eee-9245-33f27ce71157", "created_at": "2026-04-06T00:12:18.601427Z", "updated_at": "2026-04-10T13:13:02.395154Z", "deleted_at": null, "sha1_hash": "44639a38212da9f0d30d937b8b42a8246e4e5726", "title": "A deeper look at the malware being used on Ukrainian targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 167012, "plain_text": "A deeper look at the malware being used on Ukrainian targets\r\nBy Daryna Antoniuk\r\nPublished: 2023-01-12 · Archived: 2026-04-05 17:59:39 UTC\r\nOver the last two months, the number of cyberattacks against Ukrainian government agencies, security and\r\ndefense services, and commercial organizations has soared.\r\nBefore the war, Russia-linked hackers mostly attacked Ukraine to sow fear or panic and undermine trust in the\r\ngovernment. But security experts warn that recent ‘wiper’ attacks could leave millions of Ukrainians without\r\nelectricity and prevent them from receiving social assistance through government services or making payments\r\nwith online banks.\r\nSince February 24, Ukrainian security officials have identified at least eight new types of malware used by\r\nhackers to attack Ukraine: AcidRain, WhisperGate, WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper,\r\nDoubleZero and Industroyer2.\r\nResearchers have not yet identified all threat actors responsible for developing these variants of malware, but\r\nmany attacks have been carried out by Kremlin-backed hacker groups, such as Sandworm, which are also\r\nattacking Europe and the U.S.\r\nKnowing what these new types of malware can do and who is behind them help Ukrainian enterprises and state\r\nservices detect vulnerabilities early, Ukrainian security official Victor Zhora told The Record.\r\nAccording to him, the same hackers who are attacking Ukraine’s information infrastructure are also attacking\r\norganizations in the EU that are helping Ukrainian refugees. “This means that hackers are not limited to attacks on\r\nUkraine, but also to European cyberspace,” Zhora said.\r\nHere are some important things to know about the malware.\r\nWhisperGate \u0026 WhisperKill\r\nAttribution: Blamed on hackers tied to the Russian government.\r\nDetails of the attack: On the night of January 13 and into the following morning, unidentified hackers attempted to\r\ngain access to and deface the websites of more than 70 Ukrainian government agencies, according to Ukraine’s\r\nsecurity service. The attack successfully defaced 22 websites and severely damaged six.\r\nThe attackers used vulnerabilities in the October CMS website builder and employee accounts of a local IT firm\r\nnamed KitSoft to access servers hosting the sites and carry out the defacements.\r\nDescription: WhisperGate has some similarities to the NotPetya wiper that attacked Ukrainian businesses in 2017,\r\naccording to CiscoTalos: it is designed to look like ransomware but lacks a ransom recovery mechanism. \r\nhttps://therecord.media/a-deeper-look-at-the-malware-being-used-on-ukrainian-targets/\r\nPage 1 of 7\n\nIt destroys the master boot record (MBR) instead of encrypting it. The malware’s goal is to render targeted devices\r\ninoperable rather than to obtain a ransom, according to Microsoft.\r\nHow it works: WhisperGate downloads a payload that wipes the MBR, then downloads a malicious file hosted on\r\na Discord server, which drops and executes another wiper payload that destroys files on the infected machines.\r\nWhisperKill component, downloaded by WhisperGate, destroys files with specific extensions.\r\nThe attackers used stolen credentials to compromise their victims and they likely had access to the victim's\r\nnetwork for months before the attack, according to Cisco\r\nImage: TrendMicro\r\nHermeticWiper\r\nAttribution: A methodology and timing of the attack suggest the involvement of Russian government-associated\r\nhackers, according to Recorded Future.\r\nDetails of the attack: Several hours before the invasion, Ukrainian government agencies and banks were hit with\r\ndistributed denial-of-service, or DDoS, attacks that took some websites offline. After these attacks, a data wiper\r\nmalware called HermeticWiper was installed on hundreds of machines.\r\nThe attack might have been in preparation for almost two months, according to ESET. It had an impact outside\r\nUkraine – in Latvia and Lithuania, according to cybersecurity firm Symantec.\r\nDescription: This malware was named “HermeticWiper” based on a digital certificate from a company called\r\nHermetica Digital Ltd. It’s possible that the attackers used a shell company to issue a certificate that allows\r\nbypassing detection capabilities, such as Microsoft Defender SmartScreen and built-in browser protections.\r\nThis wiper is remarkable for its ability to bypass Windows security features and gain access to many low-level\r\ndata structures on the disk, according to Malwarebytes.\r\nhttps://therecord.media/a-deeper-look-at-the-malware-being-used-on-ukrainian-targets/\r\nPage 2 of 7\n\nBreaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET\r\ntelemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS\r\nattacks against several Ukrainian websites earlier today 1/n— ESET Research (@ESETresearch)\r\nFebruary 23, 2022\r\nHow it works: The malware targets Windows devices, manipulating the master boot record, which results in\r\nsubsequent boot failure, according to SentinelLabs.\r\nA 32-bit Windows executable with an icon resembling a gift has to be run as administrator in order to work. As a\r\nresult of the malware execution, the data on the disk gets more fragmented.\r\nAs the execution progresses, some applications stop working because the malware overwrites some files with\r\nrandom data. After reboot Windows OS will no longer work.\r\nIsaacWiper\r\nAttribution: Not yet determined\r\nDetails of the attack: IsaacWiper, hit at least one Ukrainian government organization on the day of Russia’s\r\ninvasion.\r\nIts timestamp, October 19, 2021, suggests it was prepared months before the beginning of the full-scale war.\r\nIsaacWiper might have been used in previous operations, but not detected, ESET said.\r\nOn February 25, hackers dropped a new version of IsaacWiper with debug logs. It may indicate that earlier attacks\r\nweren’t successful. Debug strings would allow IsaacWiper’s developers to understand what was happening on\r\ninfected hosts.\r\nDescription: IsaacWiper is a destructive malware that overwrites all physical disks and logical volumes on a\r\ncomputer, according to Recorded Future.\r\nThe attackers’ goal is to destroy data on the victim's systems and make their computers unbootable, forcing\r\nvictims to reinstall the OS.\r\nThere is no code overlap between IsaacWiper, HermeticWiper, or WhisperGate. IsaacWiper achieves a similar\r\noutcome by different means and is far less advanced than HermeticWiper, according to Malwarebytes.\r\nHow it works: This wiper iterates through the filesystem, enumerates files and overwrites them. This behavior is\r\nsimilar to ransomware activity, but in this case, there is no decryption key. Once the data has been overwritten, it\r\nis lost.\r\n#BREAKING #ESETresearch continues to investigate the #HermeticWiper incident. We uncovered a\r\nworm component #HermeticWizard, used to spread the wiper in local networks. We also discovered\r\nanother wiper, called #IsaacWiper deployed in #Ukraine. https://t.co/hBA2NKy5Lf 1/4\r\npic.twitter.com/NzPIsYiwWW— ESET Research (@ESETresearch) March 1, 2022\r\nAcidRain\r\nhttps://therecord.media/a-deeper-look-at-the-malware-being-used-on-ukrainian-targets/\r\nPage 3 of 7\n\nAttribution: Researchers have not yet attributed the attack, but said that it has similarities with VPNFilter\r\nmalware, which was attributed to the Russian-backed Fancy Bear hacking group by the FBI in 2018. More\r\nrecently, the NSA and CISA tied it to Sandworm.\r\nDetails of the attack: The cyberattack on U.S. satellite communications provider Viasat disrupted its work across\r\ncentral and eastern Europe. A destructive wiper malware AcidRain rendered Viasat’s KA-SAT network inoperable\r\non February 24, the day of Russia's invasion of Ukraine.\r\nThis attack also disconnected remote access to about 5,800 Enercon wind turbines across Germany and disrupted\r\nthe work of thousands of European organizations due to issues with satellite communications.\r\nThe attack took place in two phases, according to Viasat's statement: first, the DDoS attack temporarily knocked\r\noffline modems physically located within Ukraine. Then, modems gradually disappeared from the Viasat service.\r\nDescription: A new strain of wiper malware called AcidRain was discovered by SentinelLabs researchers on\r\nMarch 15 after it was uploaded to VirusTotal from a user in Italy with the name “ukrop,” which the researchers\r\nsay could be shorthand for “Ukraine operation.”\r\nAcidRain was designed to remotely erase vulnerable modems and routers, according to SentinelLabs. A wiper can\r\noverwrite key data in a modem’s flash memory, rendering it inoperable and in need of reflashing or replacing.\r\nHow it works: The wiper performs an in-depth wipe of the filesystem and various known storage device files,\r\nbefore attempting to destroy the data. Once the wiping processes are complete, the device is rebooted and\r\nultimately rendered inoperable.\r\nCaddyWiper\r\nAttribution: Not yet determined. \r\nDetails of the attack: This data-destroying malware affected a few dozen systems in a limited number of\r\norganizations on March 14, according to ESET.\r\nThen it was used again during the attack on the Ukrainian energy company on April 12, according to CERT-UA.\r\nIn both cases it was deployed via Group Policy Object (GPO), indicating the attackers had control of the target's\r\nnetwork beforehand.\r\n#BREAKING #ESETresearch warns about the discovery of a 3rd destructive wiper deployed in\r\nUkraine . We first observed this new malware we call #CaddyWiper today around 9h38 UTC. 1/7\r\npic.twitter.com/gVzzlT6AzN— ESET Research (@ESETresearch) March 14, 2022\r\nDescription: This malware erases user data and splits information from any drives attached to a compromised\r\nmachine. CaddyWiper does not share any significant code similarity with HermeticWiper or IsaacWiper. It was\r\nprobably compiled the same day it was deployed to targeted networks. Its sample was written in C++.\r\nHow it works: CaddyWiper overwrites files on the computer with null byte characters, making them\r\nunrecoverable. This malware can be executed with or without administrator privilege. In both cases, it causes\r\nhttps://therecord.media/a-deeper-look-at-the-malware-being-used-on-ukrainian-targets/\r\nPage 4 of 7\n\nlethal damage to the target machine. CaddyWiper execution without administrator privileges makes files\r\nworthless, according to Morphisec.\r\nDoubleZero\r\nAttribution: Not yet determined\r\nDetails of the attack: Hackers have launched spear-phishing attacks to disrupt the work of Ukrainian enterprises,\r\naccording to CERT-UA. Ukrainian cybersecurity researchers traced several ZIP archives containing DoubleZero\r\ndestructive malware.\r\nDescription: DoubleZero is a .NET-based malware that destroys files and registry keys on the infected system,\r\naccording to the Cisco Talos threat intelligence group. The malware first destroys non-system files and then\r\nsystem-related files.\r\nBefore shutting down the system, DoubleZero destroys the following Windows registry branches: HKCU, HKU,\r\nHKLM, HKLM\\BCD. \r\nHow it works: DoubleZero erases files in two ways: by overwriting them with zero blocks of 4096 bytes\r\n(FileStream.Write method) or using NtFileOpen, NtFsControlFile API calls (code: FSCTL_SET_ZERO_DATA).\r\nIt is still not clear how hackers compromised their victims, but according to eSentire Threat Intelligence, they\r\ncould gain access to the infected machines and use the existing administrative privileges or bypass the user\r\naccount control to manually execute the malware.\r\nIt is now impossible to determine when DoubleZero was compiled because hackers changed the timestamp to\r\nconfuse the researchers.\r\nIndustroyer2\r\nAttribution: Sandworm (UAC-0082)\r\nDetails of the attack: Russian hackers from the GRU military intelligence agency used Industroyer2 to attack\r\nelectrical substations of the Ukrainian energy company in the west-central Vinnytsia region, according to ?.\r\nIn addition to Industroyer2, Sandworm hackers used wiper malware called CaddyWiper and regular disk wipers\r\nfor Linux and Solaris operating systems—ORCSHRED, SOLOSHRED, and AWFULSHRED.\r\nSandworm tried to repeat its successful 2016 attack on Kyiv’s power grid when the initial variant of Industroyer\r\ncaused blackouts in parts of the city. This time Ukrainian officials say they thwarted the attack and no electrical\r\noutages were recorded.\r\nDescription: This malware is capable of interacting with industrial control systems (ICS) typically found in\r\nelectric power systems, according to the cybersecurity firm ESET said that it does not yet know how attackers\r\nmoved from the IT network to the ICS network.\r\nIndustroyer2 was compiled on March 23, but hackers penetrated the power grid networks at the end of February—\r\nbefore Russia invaded Ukraine—and uploaded Industroyer2 malware later, according to the Ukrainian state-https://therecord.media/a-deeper-look-at-the-malware-being-used-on-ukrainian-targets/\r\nPage 5 of 7\n\ncontrolled cyberattacks response team CERT-UA.\r\nHow it works: Industroyer2 only implements the ІEC 60870-5-104 protocol to communicate with industrial\r\nequipment. It can communicate with multiple devices at once. Before connecting to the targeted devices,\r\nIndustroyer2 terminates its daily operation and renames its file to prevent the automatic restart of its work.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nDaryna Antoniuk\r\nhttps://therecord.media/a-deeper-look-at-the-malware-being-used-on-ukrainian-targets/\r\nPage 6 of 7\n\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/a-deeper-look-at-the-malware-being-used-on-ukrainian-targets/\r\nhttps://therecord.media/a-deeper-look-at-the-malware-being-used-on-ukrainian-targets/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://therecord.media/a-deeper-look-at-the-malware-being-used-on-ukrainian-targets/" ], "report_names": [ "a-deeper-look-at-the-malware-being-used-on-ukrainian-targets" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434338, "ts_updated_at": 1775826782, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/44639a38212da9f0d30d937b8b42a8246e4e5726.pdf", "text": "https://archive.orkl.eu/44639a38212da9f0d30d937b8b42a8246e4e5726.txt", "img": "https://archive.orkl.eu/44639a38212da9f0d30d937b8b42a8246e4e5726.jpg" } }