{
	"id": "4e0707bd-f8dc-4fd2-9f84-5810c5d1dd0e",
	"created_at": "2026-04-10T03:22:09.924188Z",
	"updated_at": "2026-04-10T03:22:16.60456Z",
	"deleted_at": null,
	"sha1_hash": "4b076b5c4075d260202037d264607b4de831cb10",
	"title": "Threat Update: AcidRain Wiper | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5361242,
	"plain_text": "Threat Update: AcidRain Wiper | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2022-05-19 · Archived: 2026-04-10 02:27:53 UTC\r\nSplunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we\r\nno longer use. For more information on our updated terminology and our stance on biased language, please visit\r\nour blog post. We appreciate your understanding as we work towards making our community more inclusive for\r\neveryone.\r\nThe Splunk Threat Research Team has addressed a new malicious payload named AcidRain. This payload,\r\ndeployed in the ongoing conflict zone of Eastern Europe, is designed to wipe modem or router devices (CPEs).\r\nThese devices provide internet connectivity and are usually based on specific architectures such as Microprocessor\r\nwithout Interlocked Pipeline Stages (MIPS), a type of processor architecture prevalent in CPEs which are devices\r\ndesigned to do specific functions unlike computer desktops or servers. This payload has been designed to destroy\r\nthese types of devices, which are commonly used in commercial and residential infrastructure.\r\nTargeting MIPS devices also indicates the interest of actors in affecting targets (CPEs) in large amounts to cause\r\nmassive damage and harm to commercial and residential infrastructure. It is being said that this payload targeted\r\nSatellite Modems affecting 5800 Wind Turbines. Targeting CPEs is not new and it's always a factor in very large\r\nDDoS campaigns as they usually provide connectivity and can be used in an aggregate manner in order to produce\r\nlarge attacks. The same can be said about destroying them, neutralizing anything dependent on connectivity and\r\naffecting related services. Most of these devices are of civilian use in nature and its destruction affects civilian\r\nlivelihood as well.\r\nAcidRain is MIPS compile elf binary targeting modem or router devices to destroy or wipe data.\r\nInitial Checking\r\nAt first this payload will execute fork() function and if a “dev/null” file exists; if this event check fails, it will\r\neither exit or close its execution. Else it will create a process session using setsid() function and duplicate its file\r\ndescriptor. Below is the code screenshot of how this initial checking was made by AcidRain malware.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html\r\nPage 1 of 13\n\nSkipping Common Linux Directory\r\nIt has a function that will be executed to enumerate and skip some non-standard directory in the compromised\r\nhost. If the directory it found is not in the list of folder names shown in the screenshot below, that folder path will\r\nbe passed on to the function that we renamed as recursive_wiper() to be processed.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html\r\nPage 2 of 13\n\nThe recursive_wiper() function will enumerate all the directories and files on the said chosen directory. If during\r\nenumeration it found a regular file (DT_REG) or symbolic link (DT_LNK) it will overwrite it with initialized data\r\nwith size of 0x8000 bytes. If it is another directory, it will traverse all the files on that folder path, wipe it, then\r\ndelete that directory using rmdir() function.\r\nAdmin Checks\r\nBefore the admin checking, it will allocate a mem buffer using malloc() function with a size of 0x40000 that will\r\nbe used to wipe all the files it will find.\r\nThen It will check if the login user in the compromised host is root or not using the getuid() function. it will\r\nexecute the mw_wipe_non_common_lnx_dir() that was discussed earlier and a series of functions to wipe or\r\ndestroy device files related to the router or modem, then reboot the system. Below is the screenshot of its code.\r\nHow it checks if the user is admin and wipes files and storage device files related to router or modem.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html\r\nPage 3 of 13\n\nBelow is the table of the function we renamed during our analysis and what device files it tries to destroy or to\r\nwipe that are related to either router's flash memory, sd/mmc memory card and block devices .\r\nWiper Feature\r\nFor overwriting or wiping device storage files, it has 2 functions to do it. One is overwriting those device files\r\nwith a data buffer with a maximum 0x40000 initialized bytes buffer as seen in the screenshot below (left). For\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html\r\nPage 4 of 13\n\n“/dev/mtd*”, it will use a series of ioctl commands to erase its data namely MEMUNLOCK, MEMERASE,\r\nMEMLOCK and MEMWRITEOOB. The code showing how AcidRain malware does it is shown below too\r\n(right).\r\nBelow are the screenshots showing our test of how it overwrites or wipes the /dev/mtdblock0 device file during\r\nrunning its payload.\r\nThe first one is the strace logs showing how it writes to /dev/mtdblock0 device storage file with its initialized\r\nbuffer that wipes that files.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html\r\nPage 5 of 13\n\nThe next one is the hex view snippet of some of the device storage files after the execution of the AcidRain\r\nmalware wiper.\r\nDetections\r\nBelow is the detection made for AcidRain malware in a ubuntu linux machine with the use of qemu-mips\r\nemulator.\r\nLinux High Frequency Of File Deletion In Etc Folder\r\nThis analytic looks for a high frequency of file deletion relative to process name and process id /etc/ folder.\r\n| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.fi\r\n FROM datamodel=Endpoint.Filesystem\r\n where Filesystem.action=deleted Filesystem.file_path = \"/etc/*\"\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html\r\nPage 6 of 13\n\nby _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action\r\n | `drop_dm_object_name(Filesystem)`\r\n |rename process_guid as proc_guid\r\n |join proc_guid, _time [\r\n | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_proce\r\n NOT (Processes.parent_process_name IN (\"/usr/bin/dpkg\", \"*usr/bin/python*\", \"*/usr/bin/apt-*\", \"/bin/rm\", \"*sp\r\n by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent\r\n | `drop_dm_object_name(Processes)`\r\n |rename process_guid as proc_guid\r\n | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid regist\r\n | table process_name process proc_guid action _time deletedFileNames deletedFilePath numOfDelFilePath parent\r\n | where numOfDelFilePath \u003e= 200\r\nLinux Deletion Of Cron Jobs\r\nThis analytic looks for a deletion of cron jobs in a linux machine. can be related to an attacker, threat actor or\r\nmalware to disable scheduled cron jobs that might be related to security or to evade some detections or a good\r\nindicator for malware that is trying to wipe or delete several files on the compromised host like the AcidRain\r\nmalware.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Filesystem.action=deleted Filesystem.file_path =\"/etc/cron.*\"\r\n by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.\r\n | `drop_dm_object_name(Filesystem)`\r\n |rename process_guid as proc_guid\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html\r\nPage 7 of 13\n\n|join proc_guid, _time [\r\n | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_proce\r\n by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent\r\n | `drop_dm_object_name(Processes)`\r\n |rename process_guid as proc_guid\r\n | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid regist\r\n | table process_name process proc_guid file_name file_path action _time parent_process_name parent_process p\r\nLinux Deletion of Init Daemon Script\r\nThis analytic looks for a deletion of init daemon script in a linux machine.daemon script that is placed in\r\n/etc/init.d/ is a directory that can start and stop some daemon services in linux machines.This TTP can be also a\r\ngood indicator of a malware trying to wipe or delete several files like AcidRain malware.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Filesystem.action=deleted Filesystem.file_path IN ( \"/etc/init.d/*\")\r\n by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.\r\n | `drop_dm_object_name(Filesystem)`\r\n |rename process_guid as proc_guid\r\n |join proc_guid, _time [\r\n | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_proce\r\n by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent\r\n | `drop_dm_object_name(Processes)`\r\n |rename process_guid as proc_guid\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html\r\nPage 8 of 13\n\n| fields _time dest user parent_process_name parent_process process_name process_path process proc_guid regist\r\n | table process_name process proc_guid file_name file_path action _time parent_process_name parent_process p\r\nLinux Deletion of SSL Certificate\r\nThis analytic looks for a deletion of ssl certificate in a linux machine. attacker may delete or modify ssl certificate\r\nto impair some security features or act as defense evasion in a compromised linux machine. This Anomaly can be\r\nalso a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its\r\ndestructive payload like what AcidRain malware does in linux or router machines.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Filesystem.action=deleted Filesystem.file_path = \"/etc/ssl/certs/*\" Filesystem.file_path IN (\"*.pem\", \"*\r\n by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.\r\n | `drop_dm_object_name(Filesystem)`\r\n |rename process_guid as proc_guid\r\n |join proc_guid, _time [\r\n | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_proce\r\n by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent\r\n | `drop_dm_object_name(Processes)`\r\n |rename process_guid as proc_guid\r\n | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid regist\r\n | table process_name process proc_guid file_name file_path action _time parent_process_name parent_process p\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html\r\nPage 9 of 13\n\nLinux Deletion of SSH Key\r\nThis analytic looks for a deletion of ssh key in a linux machine.This Anomaly can be also a good indicator of a\r\nmalware trying to wipe or delete several files in a compromised host as part of its destructive payload like what\r\nAcidRain malware does in linux or router machines.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Filesystem.action=deleted Filesystem.file_path = \"/etc/ssh/*\" AND Filesystem.file_path = \"~/.ssh/*\" by _\r\n | `drop_dm_object_name(Filesystem)`\r\n |rename process_guid as proc_guid\r\n |join proc_guid, _time [\r\n | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_proce\r\n by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent\r\n | `drop_dm_object_name(Processes)`\r\n |rename process_guid as proc_guid\r\n | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid regist\r\n | table process_name process proc_guid file_name file_path action _time parent_process_name parent_process p\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html\r\nPage 10 of 13\n\nLinux Deletion of Services\r\nThis analytic looks for the deletion of services in a linux machine, attacker may delete or modify services to\r\nimpair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a\r\ngood indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive\r\npayload like what AcidRain malware does in linux or router machines.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Filesystem.action=deleted Filesystem.file_path IN ( \"/etc/systemd/*\", \"/usr/lib/systemd/*\") Filesystem.f\r\n by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.\r\n | `drop_dm_object_name(Filesystem)`\r\n |rename process_guid as proc_guid\r\n |join proc_guid, _time [\r\n | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_proce\r\n by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent\r\n | `drop_dm_object_name(Processes)`\r\n |rename process_guid as proc_guid\r\n | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid regist\r\n | table process_name process proc_guid file_name file_path action _time parent_process_name parent_process p\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html\r\nPage 11 of 13\n\nMitigation\r\nMitigating these types of payloads can be very difficult. Due to their simplicity and small footprint, many of these\r\ndevices do not have the ability to implement centralized logging that may allow defenders to detect attacks. In\r\nmany instances, due to lack of standardization, many of these devices have unpatched vulnerabilities or libraries\r\nthat are waiting to be exploited by malicious actors.\r\nConsidering that many of these devices may be used by personnel working from home for enterprises or even\r\nmilitary, it is necessary to understand that these vulnerabilities expose such perimeters to attack and that if it is not\r\npossible to monitor, upgrade or even verify integrity of these devices, the best course of action is to replace them\r\nwith devices that allow integrity verification and monitoring.\r\nDiscarding these devices may be needed as infection may indeed survive reboot or reset. Even if devices are not\r\naffected by this payload, an advanced adversary will find ways of targeting them due to the large amount of\r\nresources they can provide once compromised. Please follow the following links for specific information on\r\nhardening security.\r\nCISA Home Network Security Guide (ST15-002)\r\nCISA Securing Network Infrastructure Devices (ST18-001)\r\nNSA - Protecting VSAT Communications\r\nLearn More\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html\r\nPage 12 of 13\n\nYou can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security\r\nEssentials also has all these detections available via push update. In the upcoming weeks, the Splunk Threat\r\nResearch Team will be releasing a more detailed blog post on this analytic story. Stay tuned!\r\nFor a full list of security content, check out the release notes on Splunk Docs.\r\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on\r\nSlack.\r\nWe would like to thank the following for their contributions to this post.\r\nTeoderick Contreras\r\nRod Soto\r\nJose Hernandez\r\nPatrick Barreiss\r\nLou Stella\r\nMauricio Velazco\r\nMichael Haag\r\nBhavin Patel\r\nEric McGinnis\r\nSource: https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html"
	],
	"report_names": [
		"threat-update-acidrain-wiper.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791329,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b076b5c4075d260202037d264607b4de831cb10.pdf",
		"text": "https://archive.orkl.eu/4b076b5c4075d260202037d264607b4de831cb10.txt",
		"img": "https://archive.orkl.eu/4b076b5c4075d260202037d264607b4de831cb10.jpg"
	}
}