{ "id": "186cf46d-168d-4e46-be36-4526c388bd8b", "created_at": "2026-04-06T00:15:31.407681Z", "updated_at": "2026-04-10T03:30:30.638232Z", "deleted_at": null, "sha1_hash": "5f20bdf04c4571d29df4c610d91231b2b9514394", "title": "SwiftSlicer: New destructive wiper malware strikes Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 432814, "plain_text": "SwiftSlicer: New destructive wiper malware strikes Ukraine\r\nBy Editor\r\nArchived: 2026-04-05 19:37:38 UTC\r\nUkraine Crisis – Digital Security Resource Center\r\nSandworm continues to conduct attacks against carefully chosen targets in the war-torn country\r\n27 Jan 2023  •  , 1 min. read\r\nESET researchers have uncovered a new wiper attack in Ukraine that they attribute to the Sandworm APT group.\r\nDubbed SwiftSlicer, the destructive malware was spotted on the network of a targeted organization on January\r\n25th. It was deployed through Group Policy, which suggests that the attackers had taken control of the victim’s\r\nActive Directory environment.\r\nSome of the wipers spotted by ESET in Ukraine early into Russia’s invasion – HermeticWiper and CaddyWiper –\r\nwere in some instances also planted in the same fashion. The latter was last spotted on the network of Ukraine’s\r\nnews agency Ukrinform just days ago.\r\nSwiftSlicer is detected by ESET products as WinGo/KillFiles.C. The malware was written in Go, a highly\r\nversatile, cross-platform programming language.\r\nWhen it comes to SwiftSlicer’s method of destruction, ESET researchers had this to say: “Once executed it deletes\r\nshadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\\drivers,\r\nhttps://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/\r\nPage 1 of 2\n\n%CSIDL_SYSTEM_DRIVE%\\Windows\\NTDS and other non-system drives and then reboots computer. For\r\noverwriting it uses 4096 bytes length block filled with randomly generated byte”.\r\nTwo months ago, ESET detected a wave of RansomBoggs ransomware attacks in the war-torn country that were\r\nalso linked to Sandworm. The campaigns were just one of the latest additions to the long résumé of damaging\r\nattacks that the group has conducted against Ukraine over the past near-decade. Sandworm's track record also\r\nincludes a string of attacks – BlackEnergy, GreyEnergy and the first iteration of Industroyer – that targeted energy\r\nproviders. An Industroyer2 attack was thwarted with help from ESET researchers in April of last year.\r\nTo learn more about Sandworm's campaigns in Ukraine in recent months, head over to ESET APT Activity Report\r\nT3 2022\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/\r\nhttps://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/" ], "report_names": [ "swiftslicer-new-destructive-wiper-malware-ukraine" ], "threat_actors": [ { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434531, "ts_updated_at": 1775791830, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5f20bdf04c4571d29df4c610d91231b2b9514394.pdf", "text": "https://archive.orkl.eu/5f20bdf04c4571d29df4c610d91231b2b9514394.txt", "img": "https://archive.orkl.eu/5f20bdf04c4571d29df4c610d91231b2b9514394.jpg" } }