{ "id": "427ecdf2-ab8a-45bc-85b6-1d6b6066f352", "created_at": "2026-04-06T00:08:00.123002Z", "updated_at": "2026-04-10T03:35:26.328598Z", "deleted_at": null, "sha1_hash": "5100d9a26532c06a40f4a173fcea5b1ec5c41d2f", "title": "IsaacWiper (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 102591, "plain_text": "IsaacWiper (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 16:38:56 UTC\r\nAccording to Recorded Future, IsaacWiper is a destructive malware that overwrites all physical disks and logical\r\nvolumes on a victim’s machine.\r\n2023-03-15 ⋅ Microsoft ⋅\r\nA year of Russian hybrid warfare in Ukraine\r\nCaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer\r\nWhisperGate 2022-10-24 ⋅ Youtube (Virus Bulletin) ⋅ Alexander Adamov\r\nRussian wipers in the cyberwar against Ukraine\r\nAcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2\r\nIsaacWiper KillDisk PartyTicket WhisperGate 2022-09-26 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita\r\nThe Anatomy of Wiper Malware, Part 3: Input/Output Controls\r\nCaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya\r\nSierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare 2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk\r\nOverview of the Cyber Weapons Used in the Ukraine - Russia War\r\nAcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper\r\nINDUSTROYER2 InvisiMole IsaacWiper PartyTicket 2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk\r\nOverview of the Cyber Weapons Used in the Ukraine - Russia War\r\nAcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper\r\nINDUSTROYER2 InvisiMole IsaacWiper PartyTicket 2022-08-12 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita\r\nThe Anatomy of Wiper Malware, Part 1: Common Techniques\r\nApostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye\r\nKillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare\r\n2022-06-02 ⋅ Mandiant ⋅ Mandiant\r\nTRENDING EVIL Q2 2022\r\nCloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot 2022-05-04 ⋅ Twitter (@ESETresearch) ⋅ Twitter\r\n(@ESETresearch)\r\nTwitter thread on code similarity analysis, focussing on IsaacWiper and recent Cluster25 publication\r\nIsaacWiper 2022-05-03 ⋅ Cluster25 ⋅ Cluster25\r\nThe Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper\r\nVs Vatet\r\nCobalt Strike IsaacWiper PyXie 2022-05-02 ⋅ AT\u0026T ⋅ Fernando Martinez\r\nAnalysis on recent wiper attacks: examples and how wiper malware works\r\nAcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper 2022-04-28 ⋅ Fortinet ⋅ Gergely\r\nRevay\r\nAn Overview of the Increasing Wiper Malware Threat\r\nAcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.isaacwiper\r\nPage 1 of 2\n\nOrdinypt WhisperGate ZeroCleare 2022-04-27 ⋅ Microsoft ⋅ Microsoft Digital Security Unit (DSU)\r\nSpecial Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine\r\nCaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate 2022-03-25 ⋅\r\nGOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP)\r\nWho is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22\r\nXloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper\r\nIsaacWiper MicroBackdoor Pandora RAT 2022-03-24 ⋅ Recorded Future ⋅ Insikt Group®\r\nIsaacWiper Continues Trend of Wiper Attacks Against Ukraine\r\nIsaacWiper 2022-03-24 ⋅ NextGov ⋅ Brandi Vincent\r\nUkrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and\r\nHumanitarian Aid\r\nCaddyWiper DoubleZero HermeticWiper IsaacWiper 2022-03-24 ⋅ Recorded Future ⋅ Insikt Group\r\nIsaacWiper Continues Trend of Wiper Attacks Against Ukraine\r\nIsaacWiper 2022-03-18 ⋅ Malwarebytes ⋅ Threat Intelligence Team\r\nDouble header: IsaacWiper and CaddyWiper\r\nCaddyWiper IsaacWiper 2022-03-14 ⋅ Kaspersky ⋅ GReAT\r\nWebinar on cyberattacks in Ukraine – summary and Q\u0026A\r\nHermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate 2022-03-11 ⋅ Security Boulevard ⋅ Teri Robinson\r\nIsaacWiper Followed HermeticWiper Attack on Ukraine Orgs\r\nHermeticWiper IsaacWiper 2022-03-10 ⋅ BrightTALK (Kaspersky GReAT) ⋅ Costin Raiu, Dan Demeter, Ivan Kwiatkowski, Kurt\r\nBaumgartner, Marco Preuss\r\nBrightTALK: A look at current cyberattacks in Ukraine\r\nHermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate 2022-03-04 ⋅ IBM ⋅ John Dwyer, Kevin Henson\r\nNew Wiper Malware Used Against Ukranian Organizations\r\nIsaacWiper 2022-03-03 ⋅ LIFARS ⋅ LIFARS\r\nA Closer Look at the Russian Actors Targeting Organizations in Ukraine\r\nHermeticWiper IsaacWiper Saint Bot WhisperGate 2022-03-01 ⋅ ESET Research ⋅ ESET Research\r\nIsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine\r\nHermeticWiper IsaacWiper PartyTicket 2022-03-01 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nSecond New 'IsaacWiper' Data Wiper Targets Ukraine After Russian Invasion\r\nIsaacWiper Sunglow Blizzard 2022-02-28 ⋅ Microsoft ⋅ MSRC Team\r\nCyber threat activity in Ukraine: analysis and resources\r\nCaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate\r\nDEV-0586 2022-02-28 ⋅ Microsoft ⋅ MSRC Team\r\nCyber threat activity in Ukraine: analysis and resources\r\nHermeticWiper IsaacWiper PartyTicket WhisperGate\r\n[TLP:WHITE] win_isaacwiper_auto (20251219 | Detects win.isaacwiper.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.isaacwiper\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.isaacwiper\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isaacwiper" ], "report_names": [ "win.isaacwiper" ], "threat_actors": [ { "id": "11f52079-26d3-4e06-8665-6a0b3efdc41c", "created_at": "2022-10-25T16:07:23.736987Z", "updated_at": "2026-04-10T02:00:04.732021Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [ "UAC-0035" ], "source_name": "ETDA:InvisiMole", "tools": [ "InvisiMole" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b", "created_at": "2023-01-06T13:46:39.095233Z", "updated_at": "2026-04-10T02:00:03.21157Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [], "source_name": "MISPGALAXY:InvisiMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "96476518-d729-4ce6-835d-c8843c746eea", "created_at": "2024-02-02T02:00:04.039304Z", "updated_at": "2026-04-10T02:00:03.536508Z", "deleted_at": null, "main_name": "Sunglow Blizzard", "aliases": [ "DEV-0665" ], "source_name": "MISPGALAXY:Sunglow Blizzard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434080, "ts_updated_at": 1775792126, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5100d9a26532c06a40f4a173fcea5b1ec5c41d2f.pdf", "text": "https://archive.orkl.eu/5100d9a26532c06a40f4a173fcea5b1ec5c41d2f.txt", "img": "https://archive.orkl.eu/5100d9a26532c06a40f4a173fcea5b1ec5c41d2f.jpg" } }