{ "id": "117c64fa-d336-42c4-ae06-1cbfe01f6aa8", "created_at": "2026-04-06T00:22:09.388854Z", "updated_at": "2026-04-10T13:11:28.229704Z", "deleted_at": null, "sha1_hash": "5025fc747290840ca15a2ed57a169f1dd65f610a", "title": "Sandworm Attackers Use WinRAR to Wipe Data from Government Devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63999, "plain_text": "Sandworm Attackers Use WinRAR to Wipe Data from\r\nGovernment Devices\r\nPublished: 2023-05-04 · Archived: 2026-04-05 19:51:05 UTC\r\nSandworm (UAC-0165), a Russian hacking group, has been linked to an attack on Ukrainian state networks that\r\ninvolved wiping data from government devices using WinRAR, according to an advisory from the Ukrainian\r\nGovernment Computer Emergency Response Team (CERT-UA). \r\nThe attackers accessed critical systems by exploiting VPN accounts lacking multi-factor authentication (MFA).\r\nThen, they deleted files from Windows and Linux devices using scripts with the WinRAR archiving program.\r\nHow Did the Sandworm Attackers Wipe the Data?\r\nSandworm attackers used a BAT script while targeting Windows operating systems. The script,\r\ncalled “RoarBAT,” can search disks and specific directories for numerous file types and archive them using\r\nWinRAR. The RoarBAT can search for the following file types: .doc, .docx, .rtf, .txt, .xls, .xlsx, .ppt, .pptx, .vsd,\r\n.vsdx, .pdf, .png, .jpeg, .jpg, .zip, .rar, .7z, .mp4, .sql, .php, .vbk, .vib, .vrb, .p7s, .sys, .dll, .exe, .bin, and .dat.\r\nRoarBat scans all drives for designated file types (Source: CERT-UA)\r\nThe Sandworm attackers utilized the “-df” command-line option while running WinRAR, which led to deleting\r\nfiles as they were archived. Data on the devices were wiped following the deletion of the archives by using\r\nthe del command combined with the name of the archive file.\r\nAccording to CERT-UA, the RoarBAT script was distributed to devices on the Windows domain using Group\r\nPolicy through a scheduled task.\r\nA scheduled task is established to execute the BAT script (Source: CERT-UA)\r\nThe threat actors used a Bash script on Linux systems, which employed the “dd” utility to overwrite target files\r\nwith zero bytes, making file recovery unlikely or impossible.\r\nThe attackers likely used legitimate programs such as ‘dd’ and WinRAR to avoid detection by security software. \r\nCERT-UA has stated that this incident is similar to a previous destructive attack that targeted the Ukrainian state\r\nnews agency called “Ukrinform” in January 2023. This attack was also attributed to Sandworm. \r\nThe organization notes that the method used to carry out the attack, the IP addresses of the attackers, and the fact\r\nthat a modified version of RoarBat was used all provide evidence of the similarity between the two incidents. \r\nRecommendations\r\nTo protect against cyber attacks, CERT-UA recommends that all critical organizations in the country:\r\nhttps://socradar.io/sandworm-attackers-use-winrar-to-wipe-data-from-government-devices/\r\nPage 1 of 3\n\n1. Reducing their attack surface\r\nPatching vulnerabilities\r\nDisabling unnecessary services\r\nRestricting access to management interfaces\r\n2. Monitoring their network traffic and logs\r\n3. Protecting VPN accounts with multi-factor authentication\r\nIndicators of Compromise (IoC)\r\nFiles:\r\nUpdateRarService:\r\nC0a7da9ba353c272a694c2f215b29a63\r\n76f06d84d24d080201afee5095e4c9a595f7f2944d9911d17870653bbfefefe8\r\nupdate1.bat (RoarBat):\r\n6b30bd1ff03098dcf78b938965333f6e\r\n27ff9d3f925f636dcdc0993a2caaec0fa6e05c3ab22700f055353a839b49ab38\r\nWinRAR.exe (Command line RAR):\r\n4e75f4c7bcc4db8ff51cee9b192488d6\r\ncb3cc656bb0d0eb8ebea98d3ef1779fb0c4eadcce43ddb72547d9411bcd858bc\r\nHost:\r\nC:Usersupdate1.bat\r\nUpdateRarService\r\nNetwork:\r\n188[.]72.101.3\r\n188[.]72.101.4\r\n194[.]28.172.172\r\n194[.]28.172.81\r\nHow Can SOCRadar Help?\r\nIt is crucial to continuously track threat actors’ activities to gain insights into their tactics, techniques, and\r\nprocedures (TTPs) and improve the detection and prevention of malicious activities.\r\nhttps://socradar.io/sandworm-attackers-use-winrar-to-wipe-data-from-government-devices/\r\nPage 2 of 3\n\nSOCRadar detects threat actor activity by using automated data collection, classification, and AI-driven analysis\r\nof hundreds of sources across the web. \r\nYou can search for threat actors via SOCRadar’s Threat Actor Tracking module and find a full examination of\r\nthem, including IOCs, TTPs, related YARA/Sigma rules, and the latest mentions. The wealth of information on\r\nSOCRadar’s platform can help you define use cases and improve your ability to detect and prevent malicious\r\nactivities.\r\nSOCRadar’s Threat Actor Tracking tab\r\nSource: https://socradar.io/sandworm-attackers-use-winrar-to-wipe-data-from-government-devices/\r\nhttps://socradar.io/sandworm-attackers-use-winrar-to-wipe-data-from-government-devices/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://socradar.io/sandworm-attackers-use-winrar-to-wipe-data-from-government-devices/" ], "report_names": [ "sandworm-attackers-use-winrar-to-wipe-data-from-government-devices" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434929, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5025fc747290840ca15a2ed57a169f1dd65f610a.pdf", "text": "https://archive.orkl.eu/5025fc747290840ca15a2ed57a169f1dd65f610a.txt", "img": "https://archive.orkl.eu/5025fc747290840ca15a2ed57a169f1dd65f610a.jpg" } }