{ "id": "fab524f6-a856-429f-97f0-ceb98b355300", "created_at": "2026-04-06T00:13:25.972452Z", "updated_at": "2026-04-10T03:30:31.010721Z", "deleted_at": null, "sha1_hash": "457be9d4945f91c4e576d945b912132bcceeaeb7", "title": "Sandworm uses a new version of ArguePatch to attack targets in Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 214058, "plain_text": "Sandworm uses a new version of ArguePatch to attack targets in\r\nUkraine\r\nBy Editor\r\nArchived: 2026-04-05 12:55:15 UTC\r\nUkraine Crisis – Digital Security Resource Center\r\nESET researchers spot an updated version of the malware loader used in the Industroyer2 and CaddyWiper attacks\r\n20 May 2022  •  , 2 min. read\r\nSandworm, the APT group behind some of the world’s most disruptive cyberattacks, continues to update its\r\narsenal for campaigns targeting Ukraine.\r\nThe ESET research team has now spotted an updated version of the ArguePatch malware loader that was used in\r\nthe Industroyer2 attack against a Ukrainian energy provider and in multiple attacks involving data wiping malware\r\ncalled CaddyWiper.\r\nThe new variant of ArguePatch – named so by the Computer Emergency Response Team of Ukraine (CERT-UA)\r\nand detected by ESET products as Win32/Agent.AEGY – now includes a feature to execute the next stage of an\r\nattack at a specified time. This bypasses the need for setting up a scheduled task in Windows and is likely intended\r\nto help the attackers stay under the radar.\r\nhttps://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader/\r\nPage 1 of 3\n\nAnother difference between the two otherwise highly similar variants is that the new iteration uses an official\r\nESET executable to hide ArguePatch, with the digital signature removed and code overwritten. The Industroyer2\r\nattack, meanwhile, leveraged a patched version of HexRays IDA Pro’s remote debug server.\r\nThe latest find builds on a string of discoveries that ESET researchers have made since just before Russia’s\r\ninvasion of Ukraine. On February 23rd, ESET’s telemetry picked up HermeticWiper on the networks of a number\r\nof high-profile Ukrainian organizations. The campaigns also leveraged HermeticWizard, a custom worm used for\r\npropagating HermeticWiper inside local networks, and HermeticRansom, which acted as decoy ransomware. The\r\nnext day, a second destructive attack against a Ukrainian governmental network started, this time deploying\r\nIsaacWiper.\r\nIn the middle of March, ESET uncovered CaddyWiper on several dozen systems in a limited number of Ukrainian\r\norganizations. Importantly, ESET’s collaboration with CERT-UA led to the discovery of a planned attack\r\ninvolving Industroyer2, which was intended to be unleashed on a Ukrainian power company in April.\r\nIoCs for the new ArguePatch variant:\r\nFilename: eset_ssl_filtered_cert_importer.exe\r\nSHA-1 hash: 796362BD0304E305AD120576B6A8FB6721108752\r\nESET detection name: Win32/Agent.AEGY\r\nFurther resources:\r\nESET Research webinar: How APT groups have turned Ukraine into a cyber‑battlefield\r\nESET Research podcast: Ukraine’s past and present cyberwar\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research now also offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader/\r\nPage 2 of 3\n\nSource: https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader/\r\nhttps://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader/" ], "report_names": [ "sandworm-ukraine-new-version-arguepatch-malware-loader" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434405, "ts_updated_at": 1775791831, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/457be9d4945f91c4e576d945b912132bcceeaeb7.pdf", "text": "https://archive.orkl.eu/457be9d4945f91c4e576d945b912132bcceeaeb7.txt", "img": "https://archive.orkl.eu/457be9d4945f91c4e576d945b912132bcceeaeb7.jpg" } }